Edit tour

Windows Analysis Report
bUBD.exe

Overview

General Information

Sample name:	bUBD.exe
Analysis ID:	1427599
MD5:	b0eb1186dec29582d7c86d211e2addf8
SHA1:	f8edefa10e35a0434bcb56ba45fcc265b4da6c52
SHA256:	d88a3e728153a059a398e01b451767e0fccf2eba9dcfeb6a5fe014363984a1c0
Tags:	exenjRat
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Self deletion via cmd or bat file

Uses dynamic DNS services

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

bUBD.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\bUBD.exe" MD5: B0EB1186DEC29582D7C86D211E2ADDF8)

cmd.exe (PID: 4088 cmdline: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUBD.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "patria.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "03bf0f5789"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bUBD.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1620359262.0000000000042000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: bUBD.exe PID: 6840	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bUBD.exe.40000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 46.246.14.22

Timestamp:	04/17/24-21:10:33.620833
SID:	2825564
Source Port:	49738
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 46.246.14.22

Timestamp:	04/17/24-21:09:03.882073
SID:	2825563
Source Port:	49730
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 46.246.14.22

Timestamp:	04/17/24-21:10:24.166032
SID:	2033132
Source Port:	49738
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 46.246.14.22

Timestamp:	04/17/24-21:10:19.272986
SID:	2825564
Source Port:	49730
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 46.246.14.22

Timestamp:	04/17/24-21:09:03.399283
SID:	2033132
Source Port:	49730
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bUBD.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.1620359262.0000000000042000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "patria.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "03bf0f5789"}

Multi AV Scanner detection for submitted file

Source: bUBD.exe

ReversingLabs: Detection: 94%

Yara detected Njrat

Source: Yara match	File source: bUBD.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUBD.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620359262.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUBD.exe PID: 6840, type: MEMORYSTR

Machine Learning detection for sample

Source: bUBD.exe

Joe Sandbox ML: detected

Source: bUBD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\bUBD.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: bUBD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49730 -> 46.246.14.22:1994
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49730 -> 46.246.14.22:1994
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49730 -> 46.246.14.22:1994
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 46.246.14.22:1994
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 46.246.14.22:1994

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: patria.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: patria.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 46.246.14.22:1994

Source: Joe Sandbox View

ASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: patria.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: bUBD.exe, Keylogger.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: bUBD.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUBD.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620359262.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUBD.exe PID: 6840, type: MEMORYSTR

Source: C:\Users\user\Desktop\bUBD.exe

Code function: 0_2_00B519F0

0_2_00B519F0

Source: bUBD.exe, 00000000.00000000.1620592432.0000000000048000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClientNUEVO.exe4 vs bUBD.exe
Source: bUBD.exe, 00000000.00000002.2665446665.000000000052E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs bUBD.exe
Source: bUBD.exe	Binary or memory string: OriginalFilenameClientNUEVO.exe4 vs bUBD.exe

Source: bUBD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@2/1

Source: C:\Users\user\Desktop\bUBD.exe	Code function: 0_2_049E22AA AdjustTokenPrivileges,		0_2_049E22AA
Source: C:\Users\user\Desktop\bUBD.exe	Code function: 0_2_049E2273 AdjustTokenPrivileges,		0_2_049E2273

Source: C:\Users\user\Desktop\bUBD.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bUBD.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\bUBD.exe	Mutant created: \Sessions\1\BaseNamedObjects\03bf0f5789
Source: C:\Users\user\Desktop\bUBD.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03

Source: bUBD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bUBD.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\bUBD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bUBD.exe

ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\bUBD.exe "C:\Users\user\Desktop\bUBD.exe"
Source: C:\Users\user\Desktop\bUBD.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUBD.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bUBD.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUBD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: bUBD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\bUBD.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: bUBD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: bUBD.exe, Program.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\bUBD.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUBD.exe"
Source: C:\Users\user\Desktop\bUBD.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUBD.exe"			Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Memory allocated: 46C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe	Window / User API: threadDelayed 674	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Window / User API: threadDelayed 3698	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Window / User API: threadDelayed 5095	Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Window / User API: foregroundWindowGot 1755	Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe TID: 6856	Thread sleep time: -674000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe TID: 6856	Thread sleep time: -5095000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: bUBD.exe, 00000000.00000002.2665446665.0000000000592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW </providers>
Source: bUBD.exe, 00000000.00000002.2665446665.0000000000592000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>

Source: C:\Users\user\Desktop\bUBD.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: bUBD.exe, Program.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: bUBD.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: bUBD.exe, Keylogger.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)

Source: bUBD.exe, 00000000.00000002.2666345093.0000000002887000.00000004.00000800.00020000.00000000.sdmp, bUBD.exe, 00000000.00000002.2666345093.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, bUBD.exe, 00000000.00000002.2666345093.000000000275F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bUBD.exe, 00000000.00000002.2666345093.0000000002887000.00000004.00000800.00020000.00000000.sdmp, bUBD.exe, 00000000.00000002.2666345093.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, bUBD.exe, 00000000.00000002.2666345093.000000000275F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\bUBD.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\bUBD.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\bUBD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: bUBD.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUBD.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620359262.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUBD.exe PID: 6840, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: bUBD.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUBD.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620359262.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUBD.exe PID: 6840, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
bUBD.exe	95%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
bUBD.exe	100%	Avira	TR/Dropper.Gen7
bUBD.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
patria.duckdns.org	46.246.14.22	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
patria.duckdns.org	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.246.14.22	patria.duckdns.org	Sweden		42708	PORTLANEwwwportlanecomSE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427599
Start date and time:	2024-04-17 21:08:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bUBD.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 94 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: bUBD.exe

Simulations

Behavior and APIs

Time	Type	Description
21:09:32	API Interceptor	189416x Sleep call for process: bUBD.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.246.14.22	bOTj.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
patria.duckdns.org	x5gJuYmvL7m2.exe	Get hash	malicious	Njrat	Browse	46.246.82.18
	bTFU.exe	Get hash	malicious	Njrat	Browse	46.246.14.2
	bTDk.exe	Get hash	malicious	Njrat	Browse	46.246.80.3
	bT6H.exe	Get hash	malicious	Njrat	Browse	46.246.12.4
	bT6q.exe	Get hash	malicious	Njrat	Browse	46.246.12.14
	bT5A.exe	Get hash	malicious	Njrat	Browse	46.246.80.9
	bT57.exe	Get hash	malicious	Njrat	Browse	46.246.80.9
	bT5b.exe	Get hash	malicious	Njrat	Browse	46.246.80.9
	bT3v.exe	Get hash	malicious	Njrat	Browse	46.246.84.15
	bT2W.exe	Get hash	malicious	Njrat	Browse	46.246.84.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PORTLANEwwwportlanecomSE	xutnF2gKGTTy.exe	Get hash	malicious	AsyncRAT	Browse	46.246.4.3
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	ODOCVzwXq5.elf	Get hash	malicious	Mirai	Browse	195.190.218.30
	bSRh.exe	Get hash	malicious	XWorm	Browse	46.246.86.13
	xjwP3UYA8ujq.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.82.6
	x6Xw7vcuD9zM.exe	Get hash	malicious	Njrat	Browse	46.246.14.23
	xw8oKxLrOnt6.exe	Get hash	malicious	Remcos	Browse	46.246.14.10
	xde47dUIgZDh.exe	Get hash	malicious	AsyncRAT	Browse	46.246.6.20
	x7CwEiB9bHEP.exe	Get hash	malicious	Njrat	Browse	46.246.6.20

Process:	C:\Users\user\Desktop\bUBD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	907
Entropy (8bit):	5.243019596074263
Encrypted:	false
SSDEEP:	24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
MD5:	48A0572426885EBDE53CA62C7F2E194E
SHA1:	035628CDF6276367F6C83E9F4AA2172933850AA8
SHA-256:	4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538
SHA-512:	DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\1bd56c432cb9ff27e335d97f404caf8f\System.Management.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.8058337179857618
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	bUBD.exe
File size:	32'768 bytes
MD5:	b0eb1186dec29582d7c86d211e2addf8
SHA1:	f8edefa10e35a0434bcb56ba45fcc265b4da6c52
SHA256:	d88a3e728153a059a398e01b451767e0fccf2eba9dcfeb6a5fe014363984a1c0
SHA512:	d3152ab2ebb76eea8ef99627317e4d9c01aa0cd060089338e6d62fbbc9d374ea282338c111100b430d11aeeb1faa73b973c4ff3473d6c2a66805c453e7fe3421
SSDEEP:	384:e0bUe5XB4e0X0gONpQq1pvmufCsIs6WT2tTUFQqz9A+ObbE:PT9Bui/Qqvvmu6V/bE
TLSH:	E2E2084A77E58215C6BC16FC8CB313210672E3878572EB6F9CDC88CA5B676D00651EEE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................P... ......ng... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40676e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x661FE016 [Wed Apr 17 14:43:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6718	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4774	0x5000	dff105bc01e460c4fcff2a345b0802a2	False	0.475146484375	data	5.295670427311821	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x2b0	0x1000	00198e1617ae38c466f86b96f395cb28	False	0.077880859375	data	0.6915250571668272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x1000	34585954bedb30c5084980db7d41ad8f	False	0.0087890625	data	0.013126943721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8058	0x254	data			0.46308724832214765

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/17/24-21:10:33.620833	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49738	1994	192.168.2.4	46.246.14.22
04/17/24-21:09:03.882073	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49730	1994	192.168.2.4	46.246.14.22
04/17/24-21:10:24.166032	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49738	1994	192.168.2.4	46.246.14.22
04/17/24-21:10:19.272986	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49730	1994	192.168.2.4	46.246.14.22
04/17/24-21:09:03.399283	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49730	1994	192.168.2.4	46.246.14.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 21:09:02.964767933 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:03.307085037 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:09:03.307625055 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:03.399282932 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:03.881759882 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:09:03.882072926 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:04.269494057 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:09:08.416810036 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:08.858582020 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:09:52.744801044 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:53.169831038 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:09:55.150919914 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:55.571297884 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:09:57.059071064 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:09:57.457238913 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:03.463172913 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:03.869147062 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:05.918942928 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:06.369039059 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:06.369229078 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:06.933542013 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:06.978542089 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:07.271454096 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:07.271717072 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:07.319235086 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:07.319330931 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:07.602807999 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:07.603498936 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:07.758290052 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:07.758625031 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:08.090907097 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:08.091450930 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:08.409045935 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:08.479511976 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:08.479919910 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:08.746536970 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:08.746841908 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:08.957159996 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:08.957321882 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:09.269571066 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:09.269757986 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:09.459064960 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:09.459310055 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:09.769881010 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:09.769999981 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:09.969191074 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:09.969504118 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:10.174731970 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:10.175232887 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:10.371000051 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:10.371109009 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:10.573375940 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:10.573677063 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:10.761343956 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:10.761737108 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:11.056601048 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:11.056699991 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:11.164460897 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:11.164536953 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:11.496620893 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:11.500051022 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:11.850893021 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.071400881 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:12.076919079 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.196772099 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:12.197443962 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.449620962 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.458223104 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:12.458357096 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.723762035 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.770823956 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:12.771039963 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.786890984 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:12.787091970 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:12.970983028 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:12.971086979 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:13.055316925 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:13.055696011 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:13.278717041 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:13.357870102 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:13.357979059 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:13.469034910 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:13.469172001 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:13.610970020 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:13.611097097 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:13.809415102 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:13.809530020 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:14.080444098 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:14.080641031 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:14.260412931 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:14.260806084 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:14.516318083 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:14.758160114 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:14.758291006 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:14.847887039 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:14.851954937 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:15.115189075 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:15.191075087 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:15.193295956 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:15.440948009 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:15.448774099 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:15.568949938 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:15.569053888 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:15.785518885 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:15.785778046 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:15.972094059 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:15.972357035 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:16.269633055 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:16.269779921 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:16.470282078 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:16.472299099 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:16.658818960 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:16.658925056 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:16.971288919 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:16.971781015 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:17.160548925 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:17.163835049 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:17.431041956 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:17.470412970 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:17.470592022 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:17.658107042 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:17.658571959 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:17.764657021 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:17.764806032 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:17.980382919 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:17.980540037 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:18.109056950 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:18.109204054 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:18.330322027 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:18.370495081 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:18.370596886 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:18.560308933 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:18.560517073 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:18.664242029 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:18.664659977 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:18.871464968 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:18.871604919 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:19.009346008 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:19.009604931 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:19.263540030 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:19.272691011 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:19.272985935 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:19.458496094 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:19.461486101 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:19.625689030 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:19.625838041 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:19.771785975 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:19.773238897 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:19.959466934 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:19.964171886 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:20.069988966 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:20.072422028 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:20.272121906 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:20.274434090 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:20.406460047 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:20.406688929 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:20.661317110 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:20.661623955 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:20.892437935 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:20.892653942 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:21.066205978 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:21.066422939 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:21.270560026 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:21.270844936 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:21.470606089 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:21.470721960 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:21.522542953 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:21.522804022 CEST	49730	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:21.610563993 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:21.802439928 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:21.856547117 CEST	1994	49730	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:23.805253029 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:24.137129068 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:24.137213945 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:24.166032076 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:24.449816942 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:24.647708893 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:24.647804976 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:24.782586098 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:24.783333063 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:25.051983118 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:25.052119017 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:25.237078905 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:25.237201929 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:25.529417038 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:25.547234058 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:25.549266100 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:25.749913931 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:25.750037909 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:25.865838051 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:25.866028070 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:26.043003082 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:26.043095112 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:26.148665905 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:26.149241924 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:26.335767984 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:26.337218046 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:26.444174051 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:26.444272041 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:26.641627073 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:26.641839981 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:26.747646093 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:26.747823954 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:26.946157932 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:26.946521997 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:27.087281942 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:27.087392092 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:27.336044073 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:27.349133015 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:27.349248886 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:27.538331032 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:27.538477898 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:27.678749084 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:27.678848028 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:27.849509954 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:27.849611998 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:28.021361113 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:28.021476030 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:28.336086035 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:28.336167097 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:28.444941044 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:28.447369099 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:28.679737091 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:28.792821884 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:28.793175936 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.012048960 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.236915112 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.338048935 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:29.339658022 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.341031075 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:29.341160059 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.570746899 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:29.570888996 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.671555042 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:29.671749115 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.940232992 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:29.947014093 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:29.947171926 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:30.148905039 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:30.148981094 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:30.274274111 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:30.274349928 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:30.336806059 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:30.336873055 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:30.593193054 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:30.745592117 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:30.747175932 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:30.935553074 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:30.936589003 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.114701033 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.248577118 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.251806974 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.437560081 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.437870026 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.444859028 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.444895983 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.444933891 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.493932962 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.679358959 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.734746933 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.734860897 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.773386955 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.773435116 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.773493052 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:31.842921019 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:31.843028069 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.020754099 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:32.020853996 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.107625008 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:32.107701063 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.247802973 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:32.247919083 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.414040089 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.448076963 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:32.448183060 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.588176966 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:32.588280916 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.767015934 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:32.848686934 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:32.851857901 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.034166098 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.050606966 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:33.052202940 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.280606985 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.371371984 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:33.371572018 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.435383081 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:33.435466051 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.616142035 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.620732069 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:33.620832920 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.745131016 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:33.745232105 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.948501110 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:33.948849916 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:33.969497919 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:33.969598055 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:34.084331036 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:34.084453106 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:34.305653095 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:34.506542921 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:34.636296034 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:34.636545897 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:34.748363018 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:34.748506069 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:34.838537931 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:34.838866949 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:35.044194937 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:35.044363022 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:35.085299969 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:35.085453033 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:35.210522890 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:35.345328093 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:35.345434904 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:35.543873072 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:35.544150114 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:35.745311022 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:35.745413065 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:35.946286917 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:35.946455002 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:36.152849913 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:36.153004885 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:36.336365938 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:36.336726904 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:36.555432081 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:36.646018028 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:36.646225929 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:36.848191023 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:36.848445892 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:36.891577959 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:36.891720057 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:37.171647072 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:37.223112106 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:37.223288059 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:37.501535892 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:37.501683950 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:37.735896111 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:37.736145020 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:37.930979967 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:37.931087017 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:38.251032114 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:38.251156092 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:38.438880920 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:38.439249039 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:38.595467091 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:38.749722958 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:38.753160954 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:38.934772015 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:39.041666031 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:39.045116901 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:39.097517014 CEST	49738	1994	192.168.2.4	46.246.14.22
Apr 17, 2024 21:10:39.149622917 CEST	1994	49738	46.246.14.22	192.168.2.4
Apr 17, 2024 21:10:39.153198957 CEST	49738	1994	192.168.2.4	46.246.14.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 21:09:02.389862061 CEST	61417	53	192.168.2.4	1.1.1.1
Apr 17, 2024 21:09:02.961895943 CEST	53	61417	1.1.1.1	192.168.2.4
Apr 17, 2024 21:10:23.662367105 CEST	63472	53	192.168.2.4	1.1.1.1
Apr 17, 2024 21:10:23.801206112 CEST	53	63472	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 21:09:02.389862061 CEST	192.168.2.4	1.1.1.1	0x8f6f	Standard query (0)	patria.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 17, 2024 21:10:23.662367105 CEST	192.168.2.4	1.1.1.1	0xbe08	Standard query (0)	patria.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 21:09:02.961895943 CEST	1.1.1.1	192.168.2.4	0x8f6f	No error (0)	patria.duckdns.org		46.246.14.22	A (IP address)	IN (0x0001)	false
Apr 17, 2024 21:10:23.801206112 CEST	1.1.1.1	192.168.2.4	0xbe08	No error (0)	patria.duckdns.org		46.246.14.22	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	21:08:54
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\bUBD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bUBD.exe"
Imagebase:	0x40000
File size:	32'768 bytes
MD5 hash:	B0EB1186DEC29582D7C86D211E2ADDF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1620359262.0000000000042000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:10:38
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUBD.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:10:38
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	82.1%
Signature Coverage:	2%
Total number of Nodes:	151
Total number of Limit Nodes:	8

Executed Functions

Function 00B519F0 Relevance: 3.9, Strings: 2, Instructions: 1396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00B5269C
, xrefs: 00B526A6

Memory Dump Source

Source File: 00000000.00000002.2666243236.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_bUBD.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 0ed20a32d963a6f3eac1a5dc9895fed7d8f2cb72cfd3374f1aee46722da4c145
Instruction ID: 87f660863d822facaad250c497300a09a5afdecd6c2814d987375791f4930908
Opcode Fuzzy Hash: 0ed20a32d963a6f3eac1a5dc9895fed7d8f2cb72cfd3374f1aee46722da4c145
Instruction Fuzzy Hash: 1DC29D30B002149FCB14EB68D954BAD77F3AF89305F1484E9E9099B7A9DF349D89CB81

Uniqueness

Uniqueness Score: -1.00%

Function 049E2273 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049E22F3

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: fed285a0cdc26111a2461973c72a2cac684e4bd431f9b5d38ebeafda4e4b7d75
Instruction ID: 43c044a5eef181b31d988e6022d55f4bf35ae1299f216a4dfa319f31420a2a2f
Opcode Fuzzy Hash: fed285a0cdc26111a2461973c72a2cac684e4bd431f9b5d38ebeafda4e4b7d75
Instruction Fuzzy Hash: 5221D3755093809FDB238F25DC44B52BFF8EF06310F0885EAE9848F563D275A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 049E22AA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049E22F3

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 92928daa22b85f53caa4f933c87436d7bcb05bc5d2576bb38069622fa94f2d17
Instruction ID: dd87d716915cee96a3921b56704a5f2f6df2b2c35ddf6429260bfe9e58ebad40
Opcode Fuzzy Hash: 92928daa22b85f53caa4f933c87436d7bcb05bc5d2576bb38069622fa94f2d17
Instruction Fuzzy Hash: AE115E766002009FEB21CF56D944B66FBE8EF08620F0889BAED458B656D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00B503F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00B5041F

Memory Dump Source

Source File: 00000000.00000002.2666243236.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_bUBD.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f1ae87e9aacb284b0070a7be8b18211bb6e8594bebfade19d8891997ae8b0616
Instruction ID: 7a1dbcae7b649f80b3a666152016c247cdcb1352a4b44132e7aa542e64be8be4
Opcode Fuzzy Hash: f1ae87e9aacb284b0070a7be8b18211bb6e8594bebfade19d8891997ae8b0616
Instruction Fuzzy Hash: 72318031A102008FCB14EF78D99469DB7F2EF88305B1485B9D909EB35AEB34DD85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082B5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0082B69D

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 95d492c1019dff6cfbd426a9465a4c062145863a4ae17dc5d8edcb6c17325135
Instruction ID: 69f1db9442ab1d03809db78bcd9a56607f1a2e14d41621d84c38e3199cab5746
Opcode Fuzzy Hash: 95d492c1019dff6cfbd426a9465a4c062145863a4ae17dc5d8edcb6c17325135
Instruction Fuzzy Hash: 8D3180B1505380AFE722CB65DC44FA2BFE8EF16314F08849AE984CB652D375E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00B503E8 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00B5041F

Memory Dump Source

Source File: 00000000.00000002.2666243236.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_bUBD.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 02de40d6b596327aad663ea8a3b2cb3c4f2ff1e9dc3055e19d183c05dd69f6dc
Instruction ID: 81d7418e8ee327bf0d82d06a0e0b180ad00d4f60a77243a5cc3721e3bc1c3961
Opcode Fuzzy Hash: 02de40d6b596327aad663ea8a3b2cb3c4f2ff1e9dc3055e19d183c05dd69f6dc
Instruction Fuzzy Hash: CB318570A102018FCB14DF78D9D4A9DB7F2EF88305B1485A9D909DB35AEB34DD85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049E1D7E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 049E1E45

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fb2714669792a52fd17fcf1bef13713538a8df6e01f1851bfd466838b60e20ff
Instruction ID: 0036a267e4d3ff19ee8c2fd66398036d3cbe41e1519ec2acc9235870a259bd38
Opcode Fuzzy Hash: fb2714669792a52fd17fcf1bef13713538a8df6e01f1851bfd466838b60e20ff
Instruction Fuzzy Hash: 5A315072504344AFE722CF65DC45FA7BBECEF15210F08459AF9858B662D734E908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082BB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0082BC12

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 276c53e462074f92168474d3f7d14defad3e8fe90a7f21830bacc9d85db16761
Instruction ID: a7c696dd42ee9e729252a00796437982c91a140ecd6f26fa9360384b5b466ce2
Opcode Fuzzy Hash: 276c53e462074f92168474d3f7d14defad3e8fe90a7f21830bacc9d85db16761
Instruction Fuzzy Hash: 20318B6510E3C06FD3138B218C61A61BFB4EF47610F0E45CBD8C48F6A3D629A919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0082A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0082A879

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9d19392520cd251924018ea50ee445c2caa4a1d33043d26c338ab23da09b6397
Instruction ID: d50a246ba77eab67d209693493f027f787eda275654dc41c87c2cffa22de3ad1
Opcode Fuzzy Hash: 9d19392520cd251924018ea50ee445c2caa4a1d33043d26c338ab23da09b6397
Instruction Fuzzy Hash: 203195B24083846FE7228B519C44FA7BFBCEF16314F08459AE985CB653D264E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 049E099C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 049E0A63

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: fed494d5021c0110d41095405c1d11df365b5f745805cfedfc5102e170d8b94b
Instruction ID: c019c96c24d9795ff66ecbd91e60ccbb8eac247f73961882bb91e7c98895fa7d
Opcode Fuzzy Hash: fed494d5021c0110d41095405c1d11df365b5f745805cfedfc5102e170d8b94b
Instruction Fuzzy Hash: C131AFB1504344AFEB21CB51DC44FA6BBACEF14314F04889AFA889B682D374E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0082A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0082A6B9

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b807634dfc69a8f50dcf11fff4bab3364eaa3f28e6b71baf761c4bb9c5ad27d3
Instruction ID: d4c92b7c050ac6b6ff58b35caf295ac5ddb90c6287c6996afcb559651b31333a
Opcode Fuzzy Hash: b807634dfc69a8f50dcf11fff4bab3364eaa3f28e6b71baf761c4bb9c5ad27d3
Instruction Fuzzy Hash: 33318FB55093806FE712CB25DC85B96BFF8EF16310F08849AE984CB293D375E909C762

Uniqueness

Uniqueness Score: -1.00%

Function 049E0894 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E0931

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 945b9059174bbe64b9a0770c0338145bfd31bc8befc299ea9c780e6bb6672472
Instruction ID: f009131f6a3cf8ad306e3dbc6ec39194533a30a501c1dd6803a5eab064d13d6e
Opcode Fuzzy Hash: 945b9059174bbe64b9a0770c0338145bfd31bc8befc299ea9c780e6bb6672472
Instruction Fuzzy Hash: 1631E9725097806FE7128F61DC45FA6BFB8EF16314F0884DAE984CF193D265A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E0190 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 049E0227

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 9e9d799d532707496870fae92ecd5345a5b3c295498519581108d98d6b10d1bd
Instruction ID: e4fcd3f682ce859e7af8fc16604f092f98f50f72beea5bf045b2936b0191f58e
Opcode Fuzzy Hash: 9e9d799d532707496870fae92ecd5345a5b3c295498519581108d98d6b10d1bd
Instruction Fuzzy Hash: E8318171504384AFEB22CF65DC45FA7BBECEF05210F0884AAE944DB652D264E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E1DAA Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 049E1E45

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 60f2b3b7362725304f6785b0caf967b67dd624aa1701f089b8ef363e22b1b3d8
Instruction ID: 3ad69a4ed9a00dc1e1fab8e9f2daaf8023ad0786d66ab492377e84e815a9cd91
Opcode Fuzzy Hash: 60f2b3b7362725304f6785b0caf967b67dd624aa1701f089b8ef363e22b1b3d8
Instruction Fuzzy Hash: 2E217172500204AFEB21DE15DC45FA7B7ECEF18614F04856AF945D6651D734F508CA71

Uniqueness

Uniqueness Score: -1.00%

Function 049E09BE Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 049E0A63

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 75ed96ac22a6473aa204f1b84baa7993c88d377d01cf936f28704cfda65df0b6
Instruction ID: 5595f858d116f87b2c0c25498b4146aae6a71315e797de462e8c7238e7e7ce96
Opcode Fuzzy Hash: 75ed96ac22a6473aa204f1b84baa7993c88d377d01cf936f28704cfda65df0b6
Instruction Fuzzy Hash: 1721AD71500204AEEB21DB61CC88FA6F7ACEF14314F04886AEA889A685D6B4E508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E0D10 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 049E0DB6

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 8fd140751911dd3d993955c0ed42bdb5130fdf7117d0caa6bb1d5f996d984d4a
Instruction ID: 45beb8df3e14b3e556add1b8fa37152c2a8dcf7e80675c1c708ff2e185b3f5c2
Opcode Fuzzy Hash: 8fd140751911dd3d993955c0ed42bdb5130fdf7117d0caa6bb1d5f996d984d4a
Instruction Fuzzy Hash: 0431917150D3C06FD3128B258C55B62BFB8EF47610F0980DBE884DF693D225A959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0082A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082A40C

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ad5ae10bda9287b6139343bac1ba8c3609d333dbd492b7b64e8e8895a3c27342
Instruction ID: 945b6ba8aeecd442b1ad2d0247da6cc2c51e4c4ce550545028e53bc461654fff
Opcode Fuzzy Hash: ad5ae10bda9287b6139343bac1ba8c3609d333dbd492b7b64e8e8895a3c27342
Instruction Fuzzy Hash: 9B218B75504740AFE721CF11DC88FA2BBF8EF15720F08849AE985CB292D364E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 049E201D Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 049E20AC

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 9847d81a4e14557da8a3d6b4af0d70d001511235e43ac74f259c5b36539a8a89
Instruction ID: bafa372b8f69290a99b11d9404862c5f991358f0a0ce68c755de22679ac8ab0c
Opcode Fuzzy Hash: 9847d81a4e14557da8a3d6b4af0d70d001511235e43ac74f259c5b36539a8a89
Instruction Fuzzy Hash: 26216F715093849FDB22CF25DC44A62BFF8EF06310F0984DAE984CB263D275A949DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082B6F4 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082B789

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: bcee96a21837285c6b26f44b007a3a53868c4361eda1217b9a16fd12296043ca
Instruction ID: c67e3fafcfcb70ee365d42cef419ba2105000698566b05324ae5f0535b7b5382
Opcode Fuzzy Hash: bcee96a21837285c6b26f44b007a3a53868c4361eda1217b9a16fd12296043ca
Instruction Fuzzy Hash: 6421D8B54093806FE7128B15DC45BA2BFACEF56324F0985D6E9848B293D2649909C771

Uniqueness

Uniqueness Score: -1.00%

Function 049E23F5 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E247C

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: f8471bc1d0b63433e6324ac8303315c6b9aef51b3c78842e20dab343a1ef765b
Instruction ID: b3de35077510f83b267032edfbf6baf50c2abfd1a4f561201203cc7b7271b40a
Opcode Fuzzy Hash: f8471bc1d0b63433e6324ac8303315c6b9aef51b3c78842e20dab343a1ef765b
Instruction Fuzzy Hash: C321A1715093806FE712CB25DC45FA6BFB8EF46314F0884EAE984DF297D268A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 049E2958 Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.KERNELBASE(?,00000E24,?,?), ref: 049E29FA

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 3b340a02f8a93951472bde5bd92f808b94dd01171cf18ae6ea6bd301957ed920
Instruction ID: 21b61a66fb71925b77d1a25d62a399b6516a52fad414471c67c4baca34b05fa3
Opcode Fuzzy Hash: 3b340a02f8a93951472bde5bd92f808b94dd01171cf18ae6ea6bd301957ed920
Instruction Fuzzy Hash: 6E21C77150D3C06FD3138B258C55B62BFB4EF87610F1980CFE8888B693D625A91AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0082BC3E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0082BCCA

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 198d2f51910dcad496ea26c02ecfcbdf8a915e3c32a723a6193a18d253b002cc
Instruction ID: 9797b32024606cd656b2e70d56364095dd94d40e920eb7d52af24281e1b8c925
Opcode Fuzzy Hash: 198d2f51910dcad496ea26c02ecfcbdf8a915e3c32a723a6193a18d253b002cc
Instruction Fuzzy Hash: 54218071509380AFEB22CF51DC45F96FFB8EF15320F08889EE9858B656D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082A4F8

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b925995239bc2c398a53f51ef51e39808971fdc1f778110571f88f1c979cd68f
Instruction ID: f03f8f96b0d9a1d93adff539be98915a5fb7699f1cd8bc74413d2c41c71ab724
Opcode Fuzzy Hash: b925995239bc2c398a53f51ef51e39808971fdc1f778110571f88f1c979cd68f
Instruction Fuzzy Hash: 6B21A4725043806FD722CF51DC44F67BFB8EF55310F08849AE985DB652D264E848C772

Uniqueness

Uniqueness Score: -1.00%

Function 049E0346 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 049E03DA

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e6695c8201184c27822bddb015dc8be34237697bc0f40fe2ef1c50f365f979d7
Instruction ID: 18ce17ac050fca3d88a2d9a11683699155415f864c4d6dbb3a904e35631834ac
Opcode Fuzzy Hash: e6695c8201184c27822bddb015dc8be34237697bc0f40fe2ef1c50f365f979d7
Instruction Fuzzy Hash: 6F21BF71409384AFE722CF15DC44FA6FBF8EF19224F04849EE9848B652D379E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082B61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0082B69D

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8079d9d40c924f9d9d44f21f9dffa525217d4f5e19b0c564f5f2af8a19cae264
Instruction ID: 4557e40982517af924e12f46437da8b21aa9088642284583a3f7b9f4dc6c1c27
Opcode Fuzzy Hash: 8079d9d40c924f9d9d44f21f9dffa525217d4f5e19b0c564f5f2af8a19cae264
Instruction Fuzzy Hash: EF219C71501204AFEB20CF25DD84F66FBE8EF18314F088869E985CB656D375E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E01B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 049E0227

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 23d3b2a6d4b4146c73fb04217960fbdad2bd796db8b27bae3f5a2613c1eb7ae0
Instruction ID: 309caac08bbfe8555dce3ca04da9ae6c3b4dfbfa179e7bd957a846636ecbe2e0
Opcode Fuzzy Hash: 23d3b2a6d4b4146c73fb04217960fbdad2bd796db8b27bae3f5a2613c1eb7ae0
Instruction Fuzzy Hash: 9421D172600204AFEB21DF65DC44FBABBECEF14214F08886AE948DB756D774E508CA71

Uniqueness

Uniqueness Score: -1.00%

Function 049E20EC Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 049E2172

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 882a54589efed44c43c718f5ea5d356c82aa94ba1e8290c957a967f39fb3ad27
Instruction ID: 7bbf37a066b0566331c362c53473dff2bd295e798d2b280abb5493fd4df9f5f3
Opcode Fuzzy Hash: 882a54589efed44c43c718f5ea5d356c82aa94ba1e8290c957a967f39fb3ad27
Instruction Fuzzy Hash: 802192B25093809FE713CF25DC54B62BFA8AF56214F0984EAE948CB253D225E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 049E00AA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E013C

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 380bebf2ebc311167551452d5e3e6684d40947ebad6ec4710f05ac09e1864d6f
Instruction ID: aa16a7bf7ec89b566cc842e87a808616d5420f7397ce6e418d932672a33e0c69
Opcode Fuzzy Hash: 380bebf2ebc311167551452d5e3e6684d40947ebad6ec4710f05ac09e1864d6f
Instruction Fuzzy Hash: A8219D72504744AFD722CF11DC44FA7BBFCEF15610F08849AE9858B692D265E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0082A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0082A879

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8075e65ff37b863a5688f50517d5712a99f8b8b538b063c3d208decf5bc7533a
Instruction ID: 26f42b28b030aef5116fb62fb7dbbddd8054bd3ce5938061ac513be28403ae08
Opcode Fuzzy Hash: 8075e65ff37b863a5688f50517d5712a99f8b8b538b063c3d208decf5bc7533a
Instruction Fuzzy Hash: E121CFB2500204AFE7219A55DC44FABFBACEF24314F04886AE945CA655D734E8498AB2

Uniqueness

Uniqueness Score: -1.00%

Function 049E24DF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E255B

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e7a5effc9ec6976f5b9474d1634f45eb81d370f85c55b23d43c058de6c682407
Instruction ID: e8719e59375703c9ff0e8bd98c095ee62838a977b99c68658fb9998f9b477b58
Opcode Fuzzy Hash: e7a5effc9ec6976f5b9474d1634f45eb81d370f85c55b23d43c058de6c682407
Instruction Fuzzy Hash: DC2192715093806FE722CF11DC45FAABFACEF55214F0884AAE984DB696D274E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E25C3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E263F

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: e7a5effc9ec6976f5b9474d1634f45eb81d370f85c55b23d43c058de6c682407
Instruction ID: 9c8d028c9f42ef58a6b9c6bfcc56a6b61f5b1c09d38d3c2758d67d74bd9ac5d3
Opcode Fuzzy Hash: e7a5effc9ec6976f5b9474d1634f45eb81d370f85c55b23d43c058de6c682407
Instruction Fuzzy Hash: AD2195715053806FEB12CF11DC44FA6BFACEF55214F0884ABE945DB656D274A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0082A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0082A6B9

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8013ff8e77bcb34fc24c4dfc32095e108164186db6aea113287b3b9aaef7391d
Instruction ID: a54c23c174c09b710e8cd360d878f6d320c400229550c60c17dacf1f8c448335
Opcode Fuzzy Hash: 8013ff8e77bcb34fc24c4dfc32095e108164186db6aea113287b3b9aaef7391d
Instruction Fuzzy Hash: F521C275600200AFE720CF25DD85BA6FBE8EF24314F088869E984CF746D775E849CA72

Uniqueness

Uniqueness Score: -1.00%

Function 049E05DD Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E0660

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 3e15757c70d86dab702de4620cd809955aba49d08b2559221f2d92f3934e70b0
Instruction ID: d0652b38d31a74b812d54ca39b9ac1e755ad23744fc8636863fa8a6b26bf1e50
Opcode Fuzzy Hash: 3e15757c70d86dab702de4620cd809955aba49d08b2559221f2d92f3934e70b0
Instruction Fuzzy Hash: 0A219571409380AFD712CB11DC44F56BFB8EF46214F0885DAE984DF656C278A548C771

Uniqueness

Uniqueness Score: -1.00%

Function 049E3862 Relevance: 1.6, APIs: 1, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E38E8

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 516c37a633f551752eb6f9b88206c8b4f03b1e5d2b64712c27a19b78fbbf9264
Instruction ID: 8112406ab1554be0d9430f6c1b44f2604f464a5b30d838296ba5e6be4dba0dac
Opcode Fuzzy Hash: 516c37a633f551752eb6f9b88206c8b4f03b1e5d2b64712c27a19b78fbbf9264
Instruction Fuzzy Hash: B8218171509380AFD722CB51DC45FA6BFBCEF56210F0884DAE9849B697D268E908C772

Uniqueness

Uniqueness Score: -1.00%

Function 0082B9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082BA55

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3067831a34e73092512ea7cf3514a64560f99fcbcaba4055a06953b174d7baf3
Instruction ID: cc5ddc2d499b80c602388875656b642bbde00c59feea4b293a4282c71bc89e25
Opcode Fuzzy Hash: 3067831a34e73092512ea7cf3514a64560f99fcbcaba4055a06953b174d7baf3
Instruction Fuzzy Hash: A721A471405380AFDB22CF51DC44F97BFB8EF55310F08849AE9859B656C335A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0082A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082A40C

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 35718510f00328899581b81e72f642935247b794d1bb8fcdfcd697711c3bdabf
Instruction ID: 998f020fc3b98ed0561e3fa22e30fc29a7062dbba989a2057a7a1fd0b8f7b866
Opcode Fuzzy Hash: 35718510f00328899581b81e72f642935247b794d1bb8fcdfcd697711c3bdabf
Instruction Fuzzy Hash: 9421AE75600204AFE720CE15DC88FA6F7ECEF14714F04846AE945CB751D374E849CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0082A140 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0082A1C1

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c1d7293756ed11b456d2d6e1940dabc7df0a6925bd23ab93dd68966ea0b7ff1c
Instruction ID: 0f64978047a43b1e7e441f80f4de4f3e89174df1b7044a0a5928372fd4b22225
Opcode Fuzzy Hash: c1d7293756ed11b456d2d6e1940dabc7df0a6925bd23ab93dd68966ea0b7ff1c
Instruction Fuzzy Hash: EF219A7140D3C09FD7238B619C54A52BFB4EF07220F0A88DBD985CF5A3C279A859DB62

Uniqueness

Uniqueness Score: -1.00%

Function 049E1F57 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E1FD3

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 53ecb42a1c8f74b64c1f360311d2a6914a04b18eb79a571e35df346a627887ce
Instruction ID: d24cd974e989ffd437e3b9ea6dd9278ba0340249c02a1c9ee5d60925adafab13
Opcode Fuzzy Hash: 53ecb42a1c8f74b64c1f360311d2a6914a04b18eb79a571e35df346a627887ce
Instruction Fuzzy Hash: 5621C371409380AFE722CF11DC48FA6BFBCEF55214F0884AAE9849B696C279A508C771

Uniqueness

Uniqueness Score: -1.00%

Function 0082BD23 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0082BDA0

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 74eb69286ed347bad1b0505ccab2553bc7779dc8dbab0722c140af8c69a157cf
Instruction ID: bc818012f367fb6b52d3f648f5d5ca9a90674385cf11bad57239451e35231780
Opcode Fuzzy Hash: 74eb69286ed347bad1b0505ccab2553bc7779dc8dbab0722c140af8c69a157cf
Instruction Fuzzy Hash: 5C2190721093C0AFDB128B61DC44B92BFB4EF07320F0984DAD9C48F563C225A859CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082BC5E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0082BCCA

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 36f3a225ff7fb3f4ee3f65a3700cc7580831f5a09c4ca182cc134e0a75176411
Instruction ID: c34d87b2e61a8e7127bbc1e12085a8a7e3831e4999f88a4e17095f17606626f4
Opcode Fuzzy Hash: 36f3a225ff7fb3f4ee3f65a3700cc7580831f5a09c4ca182cc134e0a75176411
Instruction Fuzzy Hash: E421D171501200AFEB21CF55DC44BA6FBE4FF18324F14886AE9858B756C775E408DB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E0B6E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 049E0BEA

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 7ab55e464063a16ff23362369692380c268c7787fcf86f2874b4c8f838acab88
Instruction ID: 484c0e5e53d0fa4fb8b97f277e9bd4270a8e3159b30cff5afe04b099f98ebfe3
Opcode Fuzzy Hash: 7ab55e464063a16ff23362369692380c268c7787fcf86f2874b4c8f838acab88
Instruction Fuzzy Hash: 41219271508780AFDB228F51DC44B62FFF8EF06310F0884DAE9858B663D275A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 049E0366 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 049E03DA

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 975b9fa35b2bf85a3ae31a7de3d31f0eefbd841e082ac548dbb11c045280db16
Instruction ID: bc9c775b2394fd909ddce18b88a66e6fe953007059df9102d37aa190369bd81c
Opcode Fuzzy Hash: 975b9fa35b2bf85a3ae31a7de3d31f0eefbd841e082ac548dbb11c045280db16
Instruction Fuzzy Hash: 1221F371500204AFEB21CF16DD44FA6FBE8EF18224F048469E9858B756E375F408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E0FD2 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 049E105B

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 09fd9767304ffe96214d11d88c0f58f788bb6ae9754c67ff63a65e2c86fcfaa7
Instruction ID: ed23076b434d2317de9cf2e9fbd3fbf7ac69beba9e8cf7e0a936cbba54318bb8
Opcode Fuzzy Hash: 09fd9767304ffe96214d11d88c0f58f788bb6ae9754c67ff63a65e2c86fcfaa7
Instruction Fuzzy Hash: F21106714093807FE721CB11DC85FA6FFB8DF05320F04809AF9449B292C278B948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0082A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082A4F8

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e60c0802614d8b9382bed813c8a9978fae3e712c2b86db580fbaab122430fcad
Instruction ID: b043f77c35af2b9f40ff4073150118c3f7a79948da35065d2cff3b83d9aff6fd
Opcode Fuzzy Hash: e60c0802614d8b9382bed813c8a9978fae3e712c2b86db580fbaab122430fcad
Instruction Fuzzy Hash: A411AC72500604AFEB218E15ED44FA7BBE8EF14714F04846AED45DA796D374E848CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 049E2ED5 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 049E2F51

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: ffc392ef9b25c76f55af5d8af081865dd28de2dd4351c1ddfeed8ee63337661e
Instruction ID: 82461d1e73e1843afa0bb3eb2deb39b92fba58ae93e0d20514b40993bdd4870b
Opcode Fuzzy Hash: ffc392ef9b25c76f55af5d8af081865dd28de2dd4351c1ddfeed8ee63337661e
Instruction Fuzzy Hash: 872181755083805FD7228F15DC45B62BFF8EF56314F0984DAE9848B293D265A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049E00CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E013C

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4deb14419afd53bb84a4dc51d7dfa7c59dca21d272d5d51bc234074096bb9337
Instruction ID: 504b111cc32be1a377854b831be622c4ab24b077350a34872b7c2fc58b0d660d
Opcode Fuzzy Hash: 4deb14419afd53bb84a4dc51d7dfa7c59dca21d272d5d51bc234074096bb9337
Instruction Fuzzy Hash: 7011AF72500604AFE722CE16DC84FA7B7ECEF14710F08846AE9858B656D3B5F408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0082A710 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0082A780

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4bf4a0f2acbbf34ba77bc4ccab4cb4d3c430743abe8c0281e93de3e4591ef2ae
Instruction ID: 810715d2d86372b6a67a1eb8da416b152cec181a6c8ff58ddfd19771d480f2cb
Opcode Fuzzy Hash: 4bf4a0f2acbbf34ba77bc4ccab4cb4d3c430743abe8c0281e93de3e4591ef2ae
Instruction Fuzzy Hash: 2021D5B15043809FD711CB55DC85752BFA8EF12324F09849BED848B653D234A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 049E08D2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E0931

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: aa59e1a73bef9a9f71d84d130c62b2e4917bec61a8597a75d3ac0c55c17c00b6
Instruction ID: 87677b30ff2a2601617ed8582fccfd488a328fe425669d96e74fa836295958d3
Opcode Fuzzy Hash: aa59e1a73bef9a9f71d84d130c62b2e4917bec61a8597a75d3ac0c55c17c00b6
Instruction Fuzzy Hash: 8E119372500200AFEB21CF55DC44FA6B7E8EF14324F04C86AEA45DB655D775E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 049E3BA9 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049E3C1D

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7dbc277c3eda039b1a827698eb18f05cf4277a6c79938f14cd4f728b8fccd990
Instruction ID: f731748d5dbffd6814f1f1cfdd57d8e75388089adb7e75e93b063b1460e624ca
Opcode Fuzzy Hash: 7dbc277c3eda039b1a827698eb18f05cf4277a6c79938f14cd4f728b8fccd990
Instruction Fuzzy Hash: 9F216D714093C0AFDB238F26DC45A52BFB4EF17210F0984DAED848F663D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 049E25E6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E263F

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5846c4dc72b53a41597665d28fdd062740d9fcf9e1f3d4e8b2f4766bd2c2dd2b
Instruction ID: a6f66980858e96630c0b75c7a02a0c324df1fda32c9edcff8716febb6a70c2b5
Opcode Fuzzy Hash: 5846c4dc72b53a41597665d28fdd062740d9fcf9e1f3d4e8b2f4766bd2c2dd2b
Instruction Fuzzy Hash: 8C11C171600200AFEB21CF15DC44FAAB7ACEF54624F08C8BAE945DB645D778E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 049E0006 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 049E0082

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: ad5dda99dc49aecd9a16d5803e56d63d91dbaaef36de9ad568255ffbc732189a
Instruction ID: f28d1aec81458b0ac7bfb561893362a667a3d681a900b8f34453e01c9b27a46e
Opcode Fuzzy Hash: ad5dda99dc49aecd9a16d5803e56d63d91dbaaef36de9ad568255ffbc732189a
Instruction Fuzzy Hash: 2D1108715093806FC311CB25CC45F26FFB4EF86610F1881DFE8889B693D625B919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 049E2502 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E255B

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5846c4dc72b53a41597665d28fdd062740d9fcf9e1f3d4e8b2f4766bd2c2dd2b
Instruction ID: 515c84e99fd1a6d109b7adf2b0c08d70e7a0a196aec04963b36345f1a8ca5c72
Opcode Fuzzy Hash: 5846c4dc72b53a41597665d28fdd062740d9fcf9e1f3d4e8b2f4766bd2c2dd2b
Instruction Fuzzy Hash: FE11C1B1600200AFEB21CF15DD45FAAB7ACEF54224F04C8BAEA45DB645D778E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0082AC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0082AC6E

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dc0e7dd4e0df5e333bb75e253e6ad3a9b07b3c3c406563a28ecf8b1dad39b7bb
Instruction ID: 50df5931e193f88723f435b5c7272168abf442358527ac56a458ee801ba5f9a1
Opcode Fuzzy Hash: dc0e7dd4e0df5e333bb75e253e6ad3a9b07b3c3c406563a28ecf8b1dad39b7bb
Instruction Fuzzy Hash: 47118471409380AFDB228F51DC44A62FFF4EF4A310F0888DAED858B563C275A919DB71

Uniqueness

Uniqueness Score: -1.00%

Function 049E2426 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E247C

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: b771faa59c50ed6e4296fb80e83eb092c5a96eb131e9317e5ab42b85c1d0b1db
Instruction ID: 45a3f35f9e302828002f99e6029f38edf61e85b19b032490c365e99d7bcd1696
Opcode Fuzzy Hash: b771faa59c50ed6e4296fb80e83eb092c5a96eb131e9317e5ab42b85c1d0b1db
Instruction Fuzzy Hash: 9311A371604204AFEB21CF16DC45BAAB7ACEF54224F04C4BAED45DF785E678E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0082B9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082BA55

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: cd2e048c86d0bab1739e7fb6d6af71f21fc9e48fae40cf501c8ecd97a0bd895e
Instruction ID: 760334a620ddac010aafda981ef3b72b01cef5e99a992858f7d9fb240974fb46
Opcode Fuzzy Hash: cd2e048c86d0bab1739e7fb6d6af71f21fc9e48fae40cf501c8ecd97a0bd895e
Instruction Fuzzy Hash: B8110471501200AFEB21CF51DC44FA6FBE8EF14324F04886AE945DB655C335E448DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 049E1F7A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E1FD3

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: efe5042ac2135dae434dea8187772ae6336132f1e5220be92dadd245fd1af516
Instruction ID: 9cbcee398e31fd41bbebf50c33c87cb1d0bc494c463ceb772a74b3323c5e4ce9
Opcode Fuzzy Hash: efe5042ac2135dae434dea8187772ae6336132f1e5220be92dadd245fd1af516
Instruction Fuzzy Hash: 5B11C171500200AFEB21CF55DC44FA6B7A8EF14224F04886AE9449B686D379A508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 049E388A Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E38E8

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: c3fb6984bbec4319450e3b0eacee38318fe5cfe6d3f719de42f9cf571308b450
Instruction ID: a5e09ffb2c170a477adfdcbd4eec45e0615b434afcb3974949055ad5b9cab14f
Opcode Fuzzy Hash: c3fb6984bbec4319450e3b0eacee38318fe5cfe6d3f719de42f9cf571308b450
Instruction Fuzzy Hash: CC11C271500200AEE721CE16DC45FA6B7ACDF14624F04C46AEE449B746D778F508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 049E060A Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 049E0660

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 886a71ebd7871d0a2ef5e53639aba3679dcbe82fa60029511ea45c750e0b28be
Instruction ID: 492f9383cb0ee5df548fd6b8430f8d37d596ab9d8f5cbbe76b86dbc6ef124197
Opcode Fuzzy Hash: 886a71ebd7871d0a2ef5e53639aba3679dcbe82fa60029511ea45c750e0b28be
Instruction Fuzzy Hash: 34117071500204AEEB21CF15DC84BAAB7A8EF54724F04C86AE944AF645D6B9E5088AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0082A2AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0082A30C

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 64cee67674d58b732e82a7cf788b2125234f8017b074ffe2487ebcd36f7a829e
Instruction ID: 9aa7252d2f287ead051532c17f92c10b8c82926abf6e79f09d2e21e1b3513a5f
Opcode Fuzzy Hash: 64cee67674d58b732e82a7cf788b2125234f8017b074ffe2487ebcd36f7a829e
Instruction Fuzzy Hash: 561191714093C0AFDB238B15DC54662BFB4DF57224F0984DBED848F263D2656858D772

Uniqueness

Uniqueness Score: -1.00%

Function 049E3FA9 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049E4009

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fd8e40bf677dfc3acd67bbfa3b1bde96888a496227899cdd1caa7d6566d13723
Instruction ID: 5f4d68765c2cae46ae8c88d901eee9f6eaf04f600ad8bbd5d77958e48f50cd3b
Opcode Fuzzy Hash: fd8e40bf677dfc3acd67bbfa3b1bde96888a496227899cdd1caa7d6566d13723
Instruction Fuzzy Hash: E811E375509780AFDB228F11DC45A52FFB4EF16220F08C4AEED858B663D275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 049E0FF2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 049E105B

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38dd28897a8100317c47847d37ba20c2cc5fb60ab2828980b728b9bc891f18ae
Instruction ID: 39a7777288edd42ea8ab874835d3224d4ddc428b0ee87b610f6b7a6819e4eb56
Opcode Fuzzy Hash: 38dd28897a8100317c47847d37ba20c2cc5fb60ab2828980b728b9bc891f18ae
Instruction Fuzzy Hash: D2112571500240AEE721CF16DC45FB6F7A8DF14720F04846AEE449E785D3B8F408CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 049E2056 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 049E20AC

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: fba46e1302bfcb3da23c448a89820873cb311b386f7b864ae06a26917135e75b
Instruction ID: c715c7fe2fbd329980f9fd67e2347b453f5ea71bfb220044e6489574f31e757e
Opcode Fuzzy Hash: fba46e1302bfcb3da23c448a89820873cb311b386f7b864ae06a26917135e75b
Instruction Fuzzy Hash: 9E115B716002049FEB21CF16D984B62FBECEF04311F0888BADD49CB696D335F548CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0082AD9F Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0082AE00

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 5d31b2fa605aa13ea21e73c1d33839d57c73ee4c5f42ca6d928dccf52c46b4a0
Instruction ID: 4ad425cf051707e59e208b5f788a9b328109466bab9924de03a9ee7558813410
Opcode Fuzzy Hash: 5d31b2fa605aa13ea21e73c1d33839d57c73ee4c5f42ca6d928dccf52c46b4a0
Instruction Fuzzy Hash: 4911BF754093C0AFDB12CB11DC45B52BFB4EF06224F0884DBED848F293D279A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 049E212A Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 049E2172

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1430242c45b8ea240f63736a3f405a124368273a9b678319a714841129a28eae
Instruction ID: 4b7e12ea34b363fd7cba8890b37b8faf4803cb135ed0b338469596592a5f6fb1
Opcode Fuzzy Hash: 1430242c45b8ea240f63736a3f405a124368273a9b678319a714841129a28eae
Instruction Fuzzy Hash: C31152716042409FEB21CF5ADC85B66FBECEF04220F08C4BADE49DB756D675E504CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0082B736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,8A63A454,00000000,00000000,00000000,00000000), ref: 0082B789

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5f068d648f49555a332c5dca3a0bcc26080907f594401af0cc08fd9d5ed27eee
Instruction ID: c5c294ffb53b64ff1f056b0f0ad6eeb479219c7f52f3a8270e4ecf314881dddf
Opcode Fuzzy Hash: 5f068d648f49555a332c5dca3a0bcc26080907f594401af0cc08fd9d5ed27eee
Instruction Fuzzy Hash: 6C01C071500204AFE720CB15EC84FA6F7A8EF64724F14C0A6EE449B785D778E848CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 049E0B9E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 049E0BEA

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 4264d9cc0b1316217af24fe3c21f40201569e3dd211626639dc04ebef5a51e65
Instruction ID: 7cdd26235ac3d639019a52c2f152f594115107ec652f53781bb939ca5f68c998
Opcode Fuzzy Hash: 4264d9cc0b1316217af24fe3c21f40201569e3dd211626639dc04ebef5a51e65
Instruction Fuzzy Hash: 661170715006449FEB21CF56D844B62FBE4FF08310F0888AAED498B662D375F418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 049E3E5C Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 049E3EB0

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8c34058773cd13f1070514923f2c188607070d24bf4bc632fa9b842553cf2540
Instruction ID: fc6ab33487b40c6edb2f93ae8a92b0a0b320efe5828501db3bf11be9fef3a6f8
Opcode Fuzzy Hash: 8c34058773cd13f1070514923f2c188607070d24bf4bc632fa9b842553cf2540
Instruction Fuzzy Hash: FE11A171509384AFDB228F15DC48B62FFB8DF46224F0880DAED858B253D275A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 049E0D66 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 049E0DB6

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e95154502f2246d8aad56136547bd6d833a2e5dffc400e902c747439185618c1
Instruction ID: 6407e829289d57c56e6289e64ea809f7f8c301a4d81bf15fe192fec6052c2b84
Opcode Fuzzy Hash: e95154502f2246d8aad56136547bd6d833a2e5dffc400e902c747439185618c1
Instruction Fuzzy Hash: E501B171600200ABD310DF16DC45B76FBE8EB88A20F14812AED489BB46D735F925CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 049E2F06 Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 049E2F51

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 5c76b7d9bf38bffed5cc5a46689dc904f3e1f49e94439a8c66fbadf83ab297ad
Instruction ID: 4e2b02d759f58bb2c823eedca4f4c715512061dfdd51da9af91065ee475f1536
Opcode Fuzzy Hash: 5c76b7d9bf38bffed5cc5a46689dc904f3e1f49e94439a8c66fbadf83ab297ad
Instruction Fuzzy Hash: ED0180716002009FDB21CF1ADD45B22FBECEF04610F08C8A9DD498B752D375F408CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0082AC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0082AC6E

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6da60c8add996ac0bd30e5f4a1d215421b9824e74bba63c0239f93c1ae0f874e
Instruction ID: 4cbfa6bc9940bb90c2668bd70ebb141e2c75ece0f1d4c6864a0745c020bcbd7c
Opcode Fuzzy Hash: 6da60c8add996ac0bd30e5f4a1d215421b9824e74bba63c0239f93c1ae0f874e
Instruction Fuzzy Hash: 5501AD32500200DFDB21CF55E944B62FBE0FF48320F08C8AAEE498A652C336E458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0082BBC2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0082BC12

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8a06d444775d69cb3243c7c105c6f2399b1dfc7436d0ec95f8a550959de7df41
Instruction ID: c3b151d018df98ed02856ef8f0a0028d791266765d4560da1e2a8c446e096f47
Opcode Fuzzy Hash: 8a06d444775d69cb3243c7c105c6f2399b1dfc7436d0ec95f8a550959de7df41
Instruction Fuzzy Hash: A401A271500200ABD310DF16DC46B66FBE8FB98A20F14811AED489BB82D775F925CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0082A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0082A780

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 913e25d1ef9733556ef5fe888944bbad9aa635615b86dcf72d5ce61505b8585a
Instruction ID: ecd5db5f02b1fbc2d60f10d4c01ef51c2738ab339451e2f81466324a4e5fe1cf
Opcode Fuzzy Hash: 913e25d1ef9733556ef5fe888944bbad9aa635615b86dcf72d5ce61505b8585a
Instruction Fuzzy Hash: 7101BC716002409FEB10CF19E984766FBA4EF04324F08C4AADD89CF756D279A848CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0082BD62 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0082BDA0

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 85eed6f83a6fd0ab2741b2662a642410fc9c1c2123c741b0ff2987e9c3e493ea
Instruction ID: ea5031a35ecd4ac400549a68b245ab04c1da4f9fde6f76c7ec1e294e3b7e4f25
Opcode Fuzzy Hash: 85eed6f83a6fd0ab2741b2662a642410fc9c1c2123c741b0ff2987e9c3e493ea
Instruction Fuzzy Hash: 1D019272504244DFDB20CF55E944B95FBE0FF14324F08C8AADE898F656C375A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 049E29AA Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.KERNELBASE(?,00000E24,?,?), ref: 049E29FA

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: af28ecdec5a34b9eef9e2dc21fbd145fc9f38d2bdaaf1d1301d7e389ae3b86f0
Instruction ID: 14e1ceefb91e100cbcfb8d98a936c0990abdba3c85209f83740cf612f4bd1524
Opcode Fuzzy Hash: af28ecdec5a34b9eef9e2dc21fbd145fc9f38d2bdaaf1d1301d7e389ae3b86f0
Instruction Fuzzy Hash: E601A271500200ABD310DF16DC46B66FBE8FB98A20F14811AED089BB42D735F925CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 049E0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 049E0082

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: d153b57e625c1540a9df1adc6d6ac6c9ae5e20f4498447c227efa75cca5644f8
Instruction ID: 7e417250ba876c7e527082267736da8c3212b27ebad5b14538802519bdb14f32
Opcode Fuzzy Hash: d153b57e625c1540a9df1adc6d6ac6c9ae5e20f4498447c227efa75cca5644f8
Instruction Fuzzy Hash: 6101D671500200ABD310DF16DC46B76FBE8FB88A20F148159ED089BB42D735F925CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0082A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0082A1C1

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 37df1b44430342e3abfb8d4ab336ebf44051098b64e96b50050cfb4663eeff04
Instruction ID: 71dc6dfea353c55d98153486b2885c7e5a2131c5102cc7199ec55f204befd8d7
Opcode Fuzzy Hash: 37df1b44430342e3abfb8d4ab336ebf44051098b64e96b50050cfb4663eeff04
Instruction Fuzzy Hash: 17019E715042409FEB20CF55E944B62FBE4FF04324F08C8AADE4A8F656C279A458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 049E3FCE Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049E4009

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a3c47c1401463ba203f59bf23551fc37c1ce80145b5daaa1bac5a9e5f126cd69
Instruction ID: 36415d87787f29186d1ffd21b46cebf5834235c588302a7a72b4b6caa40c6e27
Opcode Fuzzy Hash: a3c47c1401463ba203f59bf23551fc37c1ce80145b5daaa1bac5a9e5f126cd69
Instruction Fuzzy Hash: 2A017136500640DFEB228F16D844B65FBE4EF14225F08C4BEDD494B762D275E458DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0082ADCE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0082AE00

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 17b1184c777473bc5d1573a80dca8c6172929196e745b2fdfe09085152a2d71c
Instruction ID: a3b92bcf4ac95db43538ec31e2e366918b3015df9ba186cf425606d7de6ac355
Opcode Fuzzy Hash: 17b1184c777473bc5d1573a80dca8c6172929196e745b2fdfe09085152a2d71c
Instruction Fuzzy Hash: 0501D175904244DFEB20CF15E984762FBE4EF44324F08C4AADD49CF756D279A888DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 049E3BE2 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 049E3C1D

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c2e454e81210b51ca824d6ad7df35aa168ed9064d41cddb1e0b74df8ca39b6d3
Instruction ID: daaf26a49653325de8281f156a2eafee7ece6bb2cd274220ce075c1839aab385
Opcode Fuzzy Hash: c2e454e81210b51ca824d6ad7df35aa168ed9064d41cddb1e0b74df8ca39b6d3
Instruction Fuzzy Hash: C4017C315006409FDB318F06D845B65FBA4EF18620F08C4AADE494B662D276E468DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0082A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0082A30C

Memory Dump Source

Source File: 00000000.00000002.2665835152.000000000082A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82a000_bUBD.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5f71aa822617f7bc1b678bce3255539399884fb9cfab695868b6032671730ab5
Instruction ID: 265439606b3939b33a7d48c26a04578629517172ee2312ac4c0f17ee31d8ca1b
Opcode Fuzzy Hash: 5f71aa822617f7bc1b678bce3255539399884fb9cfab695868b6032671730ab5
Instruction Fuzzy Hash: BAF0A435504244DFDB20CF05E988761FBE0EF04724F08C0AADD098F756D379A848CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 049E3E7E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 049E3EB0

Memory Dump Source

Source File: 00000000.00000002.2668350477.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49e0000_bUBD.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 6496c559ac46b9f1b674ac0a6386f6cd58dce9ac8a603fafd688708a0525bcf9
Instruction ID: c5b756b0746455a3814d75bf5c6758e91d2fc3d9ced993237fe0e63973b4da30
Opcode Fuzzy Hash: 6496c559ac46b9f1b674ac0a6386f6cd58dce9ac8a603fafd688708a0525bcf9
Instruction Fuzzy Hash: 9FF0AF35A042449FEB21CF16D988761FBE4EF04324F08C4BADD095F756D379B408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DF1C60 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2668494961.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8183ae71d85234015f3fe3031f7cf00b4389ea86a764291babd4e5183bd9bc51
Instruction ID: 8a8a0811f9c3b4e76c66a4b15f02a3bd50fc5eae0c4193fec0d0550f03969179
Opcode Fuzzy Hash: 8183ae71d85234015f3fe3031f7cf00b4389ea86a764291babd4e5183bd9bc51
Instruction Fuzzy Hash: 5011C9B5908341AFD350CF19D880A5BFBE4FB98664F04896EF998D7311D235E918CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D60794 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2666324421.0000000000D60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1948437b5639d8f3a57713e640a2414c659056a3d402cfbc2b9fc3e2708315ad
Instruction ID: d23d060f2d522e0be9f6c495ad7e284dd1b2f9c8dc3e1b21902d2a9ac02f2ca7
Opcode Fuzzy Hash: 1948437b5639d8f3a57713e640a2414c659056a3d402cfbc2b9fc3e2708315ad
Instruction Fuzzy Hash: 6E21293514D3C09FD713CB10C850B55BFB1AF47308F2986DAD4888B6A3C27A981ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D607C4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2666324421.0000000000D60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f119a01effe3d69f30aa44bbd5e470a55b8c960eea6310f66943abeaf2916718
Instruction ID: f106430658f9124e737ed40531778e19fb5c84f91c293067e136420d31f63f95
Opcode Fuzzy Hash: f119a01effe3d69f30aa44bbd5e470a55b8c960eea6310f66943abeaf2916718
Instruction Fuzzy Hash: 3011B430208280DFD715DB14D540B16BBA5AB89718F28C9ACE4495BB93C77BDC17CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083ADEC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2665943478.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83a000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfaadef139788c08a26e2a047f5940001aad78d7f9827acac5509365e938eba
Instruction ID: d72fb01a4f44c644d988d088d85f0f8f351271985e46974f3f8a4a669dce20d8
Opcode Fuzzy Hash: 0cfaadef139788c08a26e2a047f5940001aad78d7f9827acac5509365e938eba
Instruction Fuzzy Hash: 3C11FAB5908301AFD350CF09DC44E5BFBE8EB98660F04892EF95897311D231E908CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D605E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2666324421.0000000000D60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c331e0d3221595d32838e6eae7e62c6532ed8436a66f3c6d8e90c525f13160a6
Instruction ID: d441f04c13e351b79129e350bd820d927a8b2a9331ac5f495379d7bc3b4e6bc9
Opcode Fuzzy Hash: c331e0d3221595d32838e6eae7e62c6532ed8436a66f3c6d8e90c525f13160a6
Instruction Fuzzy Hash: 5B01A9B65097806FD711CB16AC44862FFE8DF86620B09C4AFED498B752D235B908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D60774 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2666324421.0000000000D60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b20d2f2522f3efdc57f4dce64ef5859c6247a4207e8078ccbf98b92fe3abc66
Instruction ID: fafc676fb4974aad01254b4699ee444745bcd8680057a32f23b74742c8f19c6a
Opcode Fuzzy Hash: 8b20d2f2522f3efdc57f4dce64ef5859c6247a4207e8078ccbf98b92fe3abc66
Instruction Fuzzy Hash: 22011235109380DFC303CB10D540B15BFB1FB8A718F2986EAD5854B6A2C37ADC16DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D60880 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2666324421.0000000000D60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3ffe0ab8b8bec43b0eca7ca5da45ad1ed39b609236ae5c53b800e7332b5d85
Instruction ID: 29fd122ae4129e672ffee19a7c4856a7fce4f06edbe2aaa7ccfbb1f4d90ef729
Opcode Fuzzy Hash: 0e3ffe0ab8b8bec43b0eca7ca5da45ad1ed39b609236ae5c53b800e7332b5d85
Instruction Fuzzy Hash: 49F01D35148644DFC306CF00D540B16FBA2FB89718F24CAADE94917B62C737E823DA91

Uniqueness

Uniqueness Score: -1.00%

Function 00D60606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2666324421.0000000000D60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e138aa4e81abcd4ed9d6db91b96114021abb8b6882af4cd00230972c87a176
Instruction ID: 7cf92fe90b25b9326af43be2385860356fe39dc596d9d6a2600bc3933ed750f1
Opcode Fuzzy Hash: 55e138aa4e81abcd4ed9d6db91b96114021abb8b6882af4cd00230972c87a176
Instruction Fuzzy Hash: CEE092B66006409B9650CF0BFC41452F7D8EB84630708C47FDD0D8B701D23AB509CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0083AE3B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2665943478.000000000083A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83a000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3274f40c8f932faa282f67809857a8743485bc190ca307ba9aa11218cf75c
Instruction ID: ed0c8b26089d93f817c97ad74ef751a769adf5c7bc7bc339d26314cdc64292ee
Opcode Fuzzy Hash: a3d3274f40c8f932faa282f67809857a8743485bc190ca307ba9aa11218cf75c
Instruction Fuzzy Hash: AEE0D8B254020467D2108F06AC45F62F798DB54931F08C567EE085F742D176B514CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 04DF1CCB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2668494961.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f2c7962f21e67083d6d095ae177836f53df2b011222da77bc8e7be190813bf
Instruction ID: d4c568b46b4a8c8fd9616a560969c206b299d5fec308a759ebd9b24d83bb7cda
Opcode Fuzzy Hash: 31f2c7962f21e67083d6d095ae177836f53df2b011222da77bc8e7be190813bf
Instruction Fuzzy Hash: D3E0D8B254020067D6208F06AC45F52FB98DB54931F08C467ED081F742D176B518CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 04DF1577 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2668494961.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1de364ba037469856f796527cc91633b3b79cccef3f73d2aa62f2806ee2210e
Instruction ID: c026c178b119c0f025547c529a9fe16d42797e768b0f86ef3a48e2d6f9d96984
Opcode Fuzzy Hash: f1de364ba037469856f796527cc91633b3b79cccef3f73d2aa62f2806ee2210e
Instruction Fuzzy Hash: 50E0D8B250020067D2109F06AC49F53FB98DB50930F08C467EE081F742D176B514CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 008223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2665812828.0000000000822000.00000040.00000800.00020000.00000000.sdmp, Offset: 00822000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_822000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d9e078ad201ae7fa0123326428a3da2bdd5ebbf00e54908ee38c646890e509
Instruction ID: 6a9196a9231bd9f894ba797dbdff605e58533f3cd4bfe796e35deb03bc443466
Opcode Fuzzy Hash: 62d9e078ad201ae7fa0123326428a3da2bdd5ebbf00e54908ee38c646890e509
Instruction Fuzzy Hash: E0D02E392006E04FD322EA0CD2A8B8537D4BB41704F0A08FAAC00CB763CB68D8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Function 008223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2665812828.0000000000822000.00000040.00000800.00020000.00000000.sdmp, Offset: 00822000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_822000_bUBD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d64baa27c3378901efa277c1558e5f518f0f8347a30c6d94cbba836f0295557
Instruction ID: f8c97bcd646b0906923734f35858366305fa3d19608d82a7935c97671ca3add1
Opcode Fuzzy Hash: 7d64baa27c3378901efa277c1558e5f518f0f8347a30c6d94cbba836f0295557
Instruction Fuzzy Hash: 71D05E342002914BC729DA0CD6D8F5937D4BF45714F0648E8AC10CB772C7A8D8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bUBD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bUBD.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
bUBD.exe

Function 00B519F0 Relevance: 3.9, Strings: 2, Instructions: 1396
COMMON

Function 00B503F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 0082B5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 00B503E8 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 049E1D7E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Function 0082BB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 0082A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Function 049E099C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 0082A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 049E0894 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Function 049E0190 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 049E1DAA Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Function 049E09BE Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Function 049E0D10 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Function 0082A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON