Edit tour

Windows Analysis Report
bUHF.exe

Overview

General Information

Sample name:	bUHF.exe
Analysis ID:	1431191
MD5:	b47307545c821c03b617776a41df1741
SHA1:	086f735fcd95e8d3608e22494ae3cadd4d9d7acb
SHA256:	0f2be1e974ae7ee9be5354fbef333e105cce5c25473648e66a67269d560220f4
Tags:	exenjRat
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Self deletion via cmd or bat file

Uses dynamic DNS services

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

bUHF.exe (PID: 2892 cmdline: "C:\Users\user\Desktop\bUHF.exe" MD5: B47307545C821C03B617776A41DF1741)

cmd.exe (PID: 5844 cmdline: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUHF.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "rusia.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "aed0817703934"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bUHF.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1988148100.0000000000022000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: bUHF.exe PID: 2892	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bUHF.exe.20000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.5 - Destination IP: 46.246.84.12

Timestamp:	04/24/24-17:09:02.365130
SID:	2825563
Source Port:	49704
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 46.246.84.12

Timestamp:	04/24/24-17:09:01.858370
SID:	2033132
Source Port:	49704
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 46.246.84.12

Timestamp:	04/24/24-17:10:42.090158
SID:	2825564
Source Port:	49704
Destination Port:	1994
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bUHF.exe

Avira: detected

Antivirus detection for URL or domain

Source: rusia.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000000.1988148100.0000000000022000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "rusia.duckdns.org", "Port": "1994", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "aed0817703934"}

Yara detected Njrat

Source: Yara match	File source: bUHF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUHF.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1988148100.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUHF.exe PID: 2892, type: MEMORYSTR

Machine Learning detection for sample

Source: bUHF.exe

Joe Sandbox ML: detected

Source: bUHF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\bUHF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: bUHF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49704 -> 46.246.84.12:1994
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.5:49704 -> 46.246.84.12:1994
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49704 -> 46.246.84.12:1994

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: rusia.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: rusia.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 46.246.84.12:1994

Source: Joe Sandbox View

IP Address: 46.246.84.12 46.246.84.12

Source: Joe Sandbox View

ASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: rusia.duckdns.org

Source: bUHF.exe, 00000000.00000002.3089483402.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: bUHF.exe, 00000000.00000002.3089483402.000000000054A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: bUHF.exe, 00000000.00000002.3089483402.000000000054A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: bUHF.exe, Keylogger.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: bUHF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUHF.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1988148100.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUHF.exe PID: 2892, type: MEMORYSTR

Source: C:\Users\user\Desktop\bUHF.exe

Code function: 0_2_00A319F0

0_2_00A319F0

Source: bUHF.exe, 00000000.00000000.1988340707.0000000000028000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient22.exe4 vs bUHF.exe
Source: bUHF.exe, 00000000.00000002.3089483402.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs bUHF.exe
Source: bUHF.exe	Binary or memory string: OriginalFilenameClient22.exe4 vs bUHF.exe

Source: bUHF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@1/1

Source: C:\Users\user\Desktop\bUHF.exe	Code function: 0_2_00BD22AA AdjustTokenPrivileges,		0_2_00BD22AA
Source: C:\Users\user\Desktop\bUHF.exe	Code function: 0_2_00BD2273 AdjustTokenPrivileges,		0_2_00BD2273

Source: C:\Users\user\Desktop\bUHF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bUHF.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\bUHF.exe	Mutant created: \Sessions\1\BaseNamedObjects\aed0817703934
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Users\user\Desktop\bUHF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: bUHF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bUHF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\bUHF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bUHF.exe "C:\Users\user\Desktop\bUHF.exe"
Source: C:\Users\user\Desktop\bUHF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUHF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bUHF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUHF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: bUHF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\bUHF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: bUHF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: bUHF.exe, Program.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\bUHF.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUHF.exe"
Source: C:\Users\user\Desktop\bUHF.exe	Process created: cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUHF.exe"			Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe	Memory allocated: 9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Memory allocated: 46D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe	Window / User API: threadDelayed 3652	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Window / User API: threadDelayed 5730	Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe	Window / User API: foregroundWindowGot 1767	Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe TID: 360	Thread sleep time: -99000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\bUHF.exe TID: 360	Thread sleep time: -5730000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: bUHF.exe, 00000000.00000002.3089483402.000000000054A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\bUHF.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: bUHF.exe, Program.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100)
Source: bUHF.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: bUHF.exe, Keylogger.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)

Source: bUHF.exe, 00000000.00000002.3090810217.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, bUHF.exe, 00000000.00000002.3090810217.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, bUHF.exe, 00000000.00000002.3090810217.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: bUHF.exe, 00000000.00000002.3090810217.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, bUHF.exe, 00000000.00000002.3090810217.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, bUHF.exe, 00000000.00000002.3090810217.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\Desktop\bUHF.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\bUHF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: bUHF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUHF.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1988148100.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUHF.exe PID: 2892, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: bUHF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bUHF.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1988148100.0000000000022000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bUHF.exe PID: 2892, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bUHF.exe	100%	Avira	TR/Dropper.Gen7
bUHF.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://go.microsoft.	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
rusia.duckdns.org	100%	Avira URL Cloud	malware
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rusia.duckdns.org	46.246.84.12	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rusia.duckdns.org	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	bUHF.exe, 00000000.00000002.3089483402.000000000054A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.microsoft.LinkId=42127	bUHF.exe, 00000000.00000002.3089483402.000000000054A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://go.micros	bUHF.exe, 00000000.00000002.3089483402.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.246.84.12	rusia.duckdns.org	Sweden		42708	PORTLANEwwwportlanecomSE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431191
Start date and time:	2024-04-24 17:08:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bUHF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 91 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: bUHF.exe

Simulations

Behavior and APIs

Time	Type	Description
17:09:30	API Interceptor	271286x Sleep call for process: bUHF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
46.246.84.12	xkzdRi6nGpg3.exe	Get hash	malicious	Njrat	Browse
	1L79IBlk3o.exe	Get hash	malicious	XWorm	Browse
	xueSatPQMUFH.exe	Get hash	malicious	ArrowRAT	Browse
	x2xFapxhdTcU.exe	Get hash	malicious	ArrowRAT	Browse
	Claro Securty.apk	Get hash	malicious	Unknown	Browse
	Win defender.exe	Get hash	malicious	Njrat	Browse
	cgdifn.msi	Get hash	malicious	Unknown	Browse
	Corona App.apk	Get hash	malicious	Unknown	Browse
	cgdifn.msi	Get hash	malicious	Unknown	Browse
	CGDIFN.exe	Get hash	malicious	LodaRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rusia.duckdns.org	xkzdRi6nGpg3.exe	Get hash	malicious	Njrat	Browse	46.246.84.12
	xjXIE2ZFFSw4.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.10
	xjXIE2ZFFSw4.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.10
	xyyDAUDPeYEH.exe	Get hash	malicious	Njrat	Browse	46.246.6.20
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	bUBL.exe	Get hash	malicious	Njrat	Browse	46.246.14.17
	x6Xw7vcuD9zM.exe	Get hash	malicious	Njrat	Browse	46.246.14.23
	bTAB.exe	Get hash	malicious	Njrat	Browse	46.246.80.3
	xbd0vU3xnyOS.exe	Get hash	malicious	Njrat	Browse	46.246.6.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PORTLANEwwwportlanecomSE	xkzdRi6nGpg3.exe	Get hash	malicious	Njrat	Browse	46.246.84.12
	Price request N#U00b0DEM23000199.js	Get hash	malicious	AsyncRAT, PureLog Stealer, RedLine	Browse	178.73.192.3
	xjXIE2ZFFSw4.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.10
	xjXIE2ZFFSw4.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.10
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	188.126.94.80
	xVcsGL5R1Nbh.exe	Get hash	malicious	Njrat	Browse	46.246.6.20
	xyyDAUDPeYEH.exe	Get hash	malicious	Njrat	Browse	46.246.6.20
	xzcQo6GenFVf.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.14.5
	tajma.x86-20240422-0535.elf	Get hash	malicious	Mirai, Okiru	Browse	188.126.69.245
	x7RZVIWaDKb5.exe	Get hash	malicious	Njrat	Browse	46.246.14.17

Process:	C:\Users\user\Desktop\bUHF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	907
Entropy (8bit):	5.243019596074263
Encrypted:	false
SSDEEP:	24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
MD5:	48A0572426885EBDE53CA62C7F2E194E
SHA1:	035628CDF6276367F6C83E9F4AA2172933850AA8
SHA-256:	4C68E10691304CAC8DA65A05CF2580728EC0E294104F267840712AF1C46A6538
SHA-512:	DEFE728C2312918D94BD43C98908C08CCCA5EBFB77F873779DCA784F14C607B33A4E29AC5ECB798F2F741668B7692F72BCB60DEFD536EA86B296B64FA359C42D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\1bd56c432cb9ff27e335d97f404caf8f\System.Management.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.8017804727292726
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	bUHF.exe
File size:	32'768 bytes
MD5:	b47307545c821c03b617776a41df1741
SHA1:	086f735fcd95e8d3608e22494ae3cadd4d9d7acb
SHA256:	0f2be1e974ae7ee9be5354fbef333e105cce5c25473648e66a67269d560220f4
SHA512:	3393fd1e427430e5ac3a8d40bef45bd26d0490d9184d4cbddb595efa1c6fc5ede427962d93c18710d554472c93d6e4dc42bb4c7bb6e987c305b9c43c3a0d2209
SSDEEP:	384:z0bUe5XB4e0XvOxZggUBZIGlWT1tTUFQqzFBObbB:gT9BumzggUBZI5XbB
TLSH:	6CE2080A7BA58215C6BC1AFC8CB313210772E3478532EB6F5CDC88CA5B67AD44645EED
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)f.................P... ......ng... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40676e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6629121B [Wed Apr 24 14:07:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6718	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x2a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4774	0x5000	b8b7fff03707f4af4df8bc2bb76d1fbe	False	0.475146484375	data	5.291960881583985	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x2a8	0x1000	06f784705978c77c74b103740d210ee3	False	0.07763671875	data	0.6775791141051085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x1000	34585954bedb30c5084980db7d41ad8f	False	0.0087890625	data	0.013126943721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8058	0x24c	data			0.46598639455782315

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-17:09:02.365130	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49704	1994	192.168.2.5	46.246.84.12
04/24/24-17:09:01.858370	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49704	1994	192.168.2.5	46.246.84.12
04/24/24-17:10:42.090158	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49704	1994	192.168.2.5	46.246.84.12

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 17:09:01.382041931 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:01.777091980 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:01.777225971 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:01.858370066 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:02.365070105 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:02.365129948 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:02.867944002 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:06.665285110 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:07.269476891 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:08.723532915 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:08.728322029 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:09.168953896 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:24.211107016 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:24.211716890 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:24.767654896 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:39.985285997 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:39.985694885 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:40.466756105 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:53.368144989 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:53.870814085 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:55.227912903 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:55.764136076 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:55.901596069 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:09:55.901875019 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:09:56.465127945 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:01.868076086 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:02.458620071 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:02.458771944 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:02.967127085 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:03.086726904 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:03.557346106 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:03.557468891 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:03.984031916 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:04.068381071 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:04.068548918 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:04.365196943 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:04.392777920 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:04.392963886 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:04.616240025 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:04.669766903 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:04.669869900 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:04.758838892 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:04.758925915 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:04.870953083 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:04.871032953 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:05.049901009 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:05.051668882 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:05.142874002 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:05.143603086 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:05.350229025 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:05.369899988 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:05.371625900 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:05.529249907 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:05.529654980 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:05.740798950 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:05.741604090 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:05.919392109 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:05.919507980 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:06.139909983 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:06.266932964 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:06.267206907 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:06.468153954 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:06.468254089 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:06.547235012 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:06.547319889 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:06.753146887 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:06.857953072 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:06.858155012 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:07.053271055 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:07.173069000 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:07.173209906 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:07.258785009 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:07.258996010 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:07.447135925 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:07.447329998 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:07.660492897 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:07.660805941 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:07.906310081 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:07.968523026 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:07.968724012 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:08.167180061 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:08.167409897 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:08.335134029 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:08.335252047 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:08.555234909 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:08.555443048 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:08.747066975 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:08.969398022 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:08.969619036 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:09.140456915 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:09.143685102 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:09.356736898 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:09.359647989 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:09.466388941 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:09.466500998 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:09.669188023 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:09.671679974 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:09.862420082 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:09.865822077 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.118077993 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.165462017 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:10.165703058 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.463546038 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.515407085 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:10.515584946 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.567264080 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:10.567433119 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.768976927 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:10.769169092 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.867353916 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:10.867674112 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:10.971242905 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:10.971472979 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.183275938 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.265327930 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.269609928 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.469239950 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.472419024 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.551322937 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.553637028 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.565404892 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.568125010 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.572247028 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.575558901 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.766233921 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.767671108 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.862435102 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.863773108 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.938338995 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.938447952 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:11.959306955 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:11.959696054 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:12.210448980 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:12.264802933 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:12.264949083 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:12.325263977 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:12.325341940 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:12.464641094 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:12.464708090 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:12.604346991 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:12.604490042 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:12.728864908 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:12.728992939 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:12.936625004 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:13.014822006 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:13.014914989 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:13.264719009 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:13.264864922 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:13.350895882 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:13.351058006 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:13.465862036 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:13.466022015 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:13.723395109 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:13.756932020 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:13.757021904 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:13.847975016 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:13.848217010 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:14.120865107 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:14.121176004 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:14.236656904 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:14.236839056 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:14.497761011 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:14.637729883 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:14.637825966 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:14.850481987 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:14.890073061 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:14.890156031 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.128674984 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.168072939 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:15.168397903 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.293443918 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:15.297640085 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.529645920 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.540411949 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:15.540529013 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.563760042 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:15.563841105 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.765801907 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:15.768580914 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.925079107 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:15.925597906 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:15.987777948 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:15.989552975 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:16.259325981 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:16.349931002 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:16.350188971 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:16.568655014 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:16.568723917 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:16.686070919 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:16.686168909 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:16.872143030 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:16.872344971 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.058151960 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:17.059806108 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.294260979 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.357033968 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:17.357158899 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.564465046 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.666157007 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:17.669719934 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.697879076 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:17.701664925 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.782128096 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:17.785669088 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:17.979688883 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:17.979804039 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.000658035 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:18.000755072 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.097369909 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:18.097565889 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.318157911 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.357423067 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:18.357512951 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.403286934 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:18.403381109 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.667445898 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:18.667618036 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.708343983 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:18.708539963 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:18.797296047 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:18.797430992 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:19.057543993 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:19.092453003 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:19.092684031 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:19.357763052 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:19.358330011 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:19.449126959 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:19.449356079 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:19.669500113 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:19.669719934 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:19.762165070 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:19.762263060 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.002033949 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.057301998 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:20.057540894 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.148293018 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:20.148473978 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.382361889 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.400378942 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:20.400669098 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.551115036 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:20.551197052 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.771159887 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:20.771311045 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:20.973351002 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:20.973608017 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.167265892 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:21.169567108 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.179291964 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:21.180531025 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.427887917 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.557483912 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:21.559047937 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.587537050 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:21.587722063 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.820225000 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.836870909 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:21.841590881 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:21.978919983 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:21.979136944 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.219726086 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.243949890 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:22.244091988 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.363368988 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:22.363585949 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.580542088 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.629638910 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:22.629717112 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.761066914 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:22.761128902 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.971529007 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:22.985696077 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:22.985794067 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:23.157804966 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:23.159676075 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:23.266791105 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:23.269567013 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:23.437359095 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:23.437546968 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:23.572666883 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:23.575658083 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:23.771008015 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:23.831161022 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:23.833592892 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:23.999043941 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:23.999619961 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:24.174160957 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:24.174323082 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:24.182969093 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:24.183016062 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:24.383192062 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:24.383304119 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:24.569159031 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:24.569231987 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:24.893527985 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:24.893749952 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:25.056004047 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:25.056283951 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:25.254781961 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:25.368230104 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:25.368320942 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:25.568983078 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:25.569310904 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:25.662952900 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:25.663312912 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:25.866369963 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:25.866468906 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:26.062172890 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:26.062469006 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:26.263262987 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:26.458112001 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:26.458203077 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:26.567526102 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:26.567770958 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:26.675493002 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:26.675759077 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:26.871160984 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:26.956726074 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:26.956882954 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.156868935 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.157119036 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.191615105 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.191839933 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.304132938 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.304234028 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.305016041 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.474327087 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.474443913 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.589225054 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.589464903 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.838180065 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.859224081 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.859514952 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:27.970498085 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:27.970763922 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:28.157322884 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:28.157421112 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:28.263154030 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:28.263252974 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:28.409028053 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:28.409252882 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:28.620973110 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:28.664963961 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:28.665222883 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:28.916996002 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:28.972718954 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:28.972898960 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.043428898 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:29.043699026 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.169262886 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:29.169493914 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.338347912 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:29.338443995 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.460572958 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:29.460659981 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.689178944 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.728684902 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:29.728811026 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.936805964 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:29.968728065 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:29.968961000 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:30.129157066 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:30.131772041 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:30.313446999 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:30.317667961 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:30.350239038 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:30.350263119 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:30.350533009 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:30.537378073 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:30.537475109 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:30.737478018 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:30.737631083 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:31.121646881 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:31.121856928 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:31.459567070 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:31.666738987 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:31.666861057 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:31.879420042 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:32.274657965 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:32.643378019 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.051882982 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.167788982 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:33.167944908 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.387386084 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.458887100 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:33.459157944 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.503861904 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:33.504007101 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.665946960 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:33.666060925 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.798077106 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:33.798115969 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:33.798288107 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:33.928841114 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:33.929099083 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:34.156864882 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:34.157146931 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:34.262883902 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:34.263216019 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:34.480817080 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:34.555228949 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:34.555383921 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:34.768982887 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:34.769125938 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:34.898015022 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:34.898113966 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:35.156507015 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:35.156651974 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:35.265981913 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:35.266087055 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:35.373920918 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:35.374075890 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:35.542026043 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:35.659183025 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:35.659302950 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:35.849615097 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:35.948213100 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:35.948390961 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.090253115 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.090401888 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.265974998 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.266067028 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.457251072 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.473324060 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.473450899 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.620196104 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.620307922 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.769067049 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.769200087 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.850305080 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.850380898 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:36.852129936 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.968277931 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:36.968425989 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:37.154273987 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:37.157738924 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:37.365375996 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:37.367728949 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:37.539216042 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:37.539391041 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:37.783382893 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:37.958245993 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:37.961617947 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:38.216387987 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:38.216619968 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:38.426922083 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:38.568478107 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:38.568645954 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:38.769733906 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:38.769859076 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:38.847470999 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:38.847562075 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:39.097397089 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:39.159406900 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:39.159792900 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:39.370107889 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:39.370208979 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:39.496376991 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:39.496692896 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:39.631880999 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:39.635684967 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:39.761733055 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:39.764681101 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:39.890505075 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:39.893515110 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.115123987 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.169567108 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:40.169764042 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.285638094 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:40.285968065 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.478903055 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:40.479351044 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.552542925 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:40.552588940 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:40.552650928 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.629373074 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.688714981 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:40.688843012 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.917805910 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:40.963078976 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:40.963169098 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:41.053505898 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:41.053764105 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:41.266520023 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:41.266731977 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:41.328805923 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:41.328978062 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:41.461606026 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:41.461878061 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:41.685558081 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:41.722387075 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:41.722531080 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:41.954335928 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.074845076 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.075145006 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.089991093 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.090157986 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.272556067 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.272651911 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.364746094 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.364845991 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.480562925 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.480707884 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.628830910 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.628923893 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.672691107 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.672871113 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:42.874325037 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:42.874694109 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:43.072181940 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:43.072263956 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:43.266043901 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:43.267715931 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:43.352494955 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:43.352624893 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:43.393254042 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:43.513086081 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:43.513629913 CEST	49704	1994	192.168.2.5	46.246.84.12
Apr 24, 2024 17:10:43.742055893 CEST	1994	49704	46.246.84.12	192.168.2.5
Apr 24, 2024 17:10:43.742114067 CEST	49704	1994	192.168.2.5	46.246.84.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 17:09:00.675107956 CEST	65395	53	192.168.2.5	1.1.1.1
Apr 24, 2024 17:09:01.378818989 CEST	53	65395	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 17:09:00.675107956 CEST	192.168.2.5	1.1.1.1	0xb9b8	Standard query (0)	rusia.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 17:09:01.378818989 CEST	1.1.1.1	192.168.2.5	0xb9b8	No error (0)	rusia.duckdns.org		46.246.84.12	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	17:08:52
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\bUHF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bUHF.exe"
Imagebase:	0x20000
File size:	32'768 bytes
MD5 hash:	B47307545C821C03B617776A41DF1741
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1988148100.0000000000022000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:10:42
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\bUHF.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:10:42
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	145
Total number of Limit Nodes:	8

Executed Functions

Function 00A319F0 Relevance: 3.9, Strings: 2, Instructions: 1396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00A326A6
, xrefs: 00A3269C

Memory Dump Source

Source File: 00000000.00000002.3090467009.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_bUHF.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 47255569ca52408c8877e5368209f5018132e8031f59dfcc1664850aa5d9eadc
Instruction ID: 3d773be78ed5eefa4754700e664fbfd7f7c0b6dc0080c712f3ef40544aed85f0
Opcode Fuzzy Hash: 47255569ca52408c8877e5368209f5018132e8031f59dfcc1664850aa5d9eadc
Instruction Fuzzy Hash: 5DC2AE34B002149FCB58EB75C954BADB7F3AF89308F1180A9E5099B7A9DF709D85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2273 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00BD22F3

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c615f76229dc6f444e5054c1df585c7ba860a4379e03bdff26daef1de4888128
Instruction ID: 65ad0f1bde598695be1580d0c0a9b869fdc1c8f665adbbca2e812d5ab075cb20
Opcode Fuzzy Hash: c615f76229dc6f444e5054c1df585c7ba860a4379e03bdff26daef1de4888128
Instruction Fuzzy Hash: 5B21BF765097C09FDB228F25DC40B52BFF4EF16310F0884DAE9858B663D271A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD22AA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00BD22F3

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f18ecd9e491feae794ace9bef32ca39b9cd8a386e07dcf982750df98a85de5bc
Instruction ID: bd5abaa889e47368e43f9fd0b279d2a279d8926c873f8a9cfce066e33ea2d884
Opcode Fuzzy Hash: f18ecd9e491feae794ace9bef32ca39b9cd8a386e07dcf982750df98a85de5bc
Instruction Fuzzy Hash: AC11A0366007449FDB20CF55D984B66FBE4EF18320F0884AAED458B751E375E458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A303F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00A3041F

Memory Dump Source

Source File: 00000000.00000002.3090467009.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_bUHF.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 537c5ad76678a12bd1b01e5a6e21c725db53778ef8ff37f1fed240df1291460b
Instruction ID: 915326d65a14ef0debc01232fb62a88fa822d540c61444c748ddee6f5fac4783
Opcode Fuzzy Hash: 537c5ad76678a12bd1b01e5a6e21c725db53778ef8ff37f1fed240df1291460b
Instruction Fuzzy Hash: 83315D71A002048FCB04DF78D994A9DB7F6AF88304F58C069E809DB35ADB35DE85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0080B5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0080B69D

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6372402abb1e8910a1b0ad46059b63a62f36c021a3569cad37398a51095b77a0
Instruction ID: 9a3e09b4ab82aab7eeb44d410e74ad9b7bd8b993c3c0f60bd484a7fc91fb27f4
Opcode Fuzzy Hash: 6372402abb1e8910a1b0ad46059b63a62f36c021a3569cad37398a51095b77a0
Instruction Fuzzy Hash: AE3192B1505380AFE712CB65DC44BA2BFE8EF06314F08449AE9858B692D375E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1D7E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 00BD1E45

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 166e523fc2b385c3ff7b82b58495e572fbc8bdc619d1de13c3f86ccaad01eb2c
Instruction ID: 1f26104c0ef0faa8b10eae8128ba6810042d1327a10222e298a3695c389f3533
Opcode Fuzzy Hash: 166e523fc2b385c3ff7b82b58495e572fbc8bdc619d1de13c3f86ccaad01eb2c
Instruction Fuzzy Hash: 3B316172504744AFD721CB65CC84FA7FBFCEF09310F04499AE9858B652D324E908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A303E8 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00A3041F

Memory Dump Source

Source File: 00000000.00000002.3090467009.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_bUHF.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13d61690081f8936272297823c6aafc2bea6aec5adf76696007d72fcb45f4e34
Instruction ID: 9a95d345dbea2037bbf64e90c9c07ddbed44192d9e657c0dd6f61a354ff19def
Opcode Fuzzy Hash: 13d61690081f8936272297823c6aafc2bea6aec5adf76696007d72fcb45f4e34
Instruction Fuzzy Hash: 10315271A002058FCB04DF78D994A9DB7F6AF88304F59C469E809DB35ADB34DD85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0080BB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0080BC12

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 18a198cdd0962a1a540137a0082ba0c36112e755feb079411f6bbc8397a49cc6
Instruction ID: 69887eae74a5776dd87d52ded060ec704216fddf4c7a45c9cc6ac643b59718b7
Opcode Fuzzy Hash: 18a198cdd0962a1a540137a0082ba0c36112e755feb079411f6bbc8397a49cc6
Instruction Fuzzy Hash: D1316B6510E7C06FD3138B258C61A61BFB4EF47610B0E45CBD8C48B6A3D229A909D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0080A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0080A879

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 92151fe284fa943e521ca940afd7ffb15ea6c5c1e0abd4ad6fefbcddd9f3d40b
Instruction ID: e49af549a8a35554fbf1d08490e9558f15528a16e329b3248b457ea1ac867fa6
Opcode Fuzzy Hash: 92151fe284fa943e521ca940afd7ffb15ea6c5c1e0abd4ad6fefbcddd9f3d40b
Instruction Fuzzy Hash: 9931A7725083846FE7228B61DC44FA7BFBCEF06314F04849BE985CB692D264A90DC771

Uniqueness

Uniqueness Score: -1.00%

Function 00BD099C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 00BD0A63

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 7216781d2da4a3e5f439858717676bfd8982e86b4c9fb804969e4b8fe26a5138
Instruction ID: f9e23f5aa5c61c924c79463b5f7510f29339426f831aed8d6afa149752808315
Opcode Fuzzy Hash: 7216781d2da4a3e5f439858717676bfd8982e86b4c9fb804969e4b8fe26a5138
Instruction Fuzzy Hash: E031D671504344AFE721CB60CC84FAAFBECEF04314F04489AFA899B281D375A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0080A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0080A6B9

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ca27f1b830bc88c56aaa4ceff9d881c0af3826fa44e2e66f0c99e8b1456cc4d8
Instruction ID: 4b2193aa9ace1b60b3816de6d53aa7e80fcf8959630d9197efd3175e2d7f44dc
Opcode Fuzzy Hash: ca27f1b830bc88c56aaa4ceff9d881c0af3826fa44e2e66f0c99e8b1456cc4d8
Instruction Fuzzy Hash: B83181755093805FE711CB65CC85B96BFF8EF06314F08849AE984CB292D365E909C772

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0894 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD0931

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: f5639b889e3a64a6f94468831012413d6759e724db35e92a03492f76e4c74048
Instruction ID: 255b850f5810779660078b2c885d102f2d4b78a087d29fb538976d5a663a7338
Opcode Fuzzy Hash: f5639b889e3a64a6f94468831012413d6759e724db35e92a03492f76e4c74048
Instruction Fuzzy Hash: 3031E5725053806FEB12CF60DC44B96BFB8EF06314F0884DAE9858B153D325A908C775

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0190 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 00BD0227

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 2d9500061b0a27ba2854ae69c4186487149142c96be0a6b9d78c006645731b10
Instruction ID: b2530440af03bd5227aebc38041c59c43a5604330743d4353d72a41ab762a6e7
Opcode Fuzzy Hash: 2d9500061b0a27ba2854ae69c4186487149142c96be0a6b9d78c006645731b10
Instruction Fuzzy Hash: C0318172505384AFEB21CB65DC45FABBFE8EF05310F08849AE984CB652D364E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1DAA Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 00BD1E45

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 66eeb119a103f46c07f953902e0317fd83c11a0d7fad88ea02457eabe1a7dd0f
Instruction ID: 755023d11fd0d724d4d6ccc5114c3382fab554ae81bd298a95beb1e30d496fc7
Opcode Fuzzy Hash: 66eeb119a103f46c07f953902e0317fd83c11a0d7fad88ea02457eabe1a7dd0f
Instruction Fuzzy Hash: 8A217E72600604AFEB21DF55CC84FABFBECEF08714F04895AED85C7651E720E9488AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD09BE Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 00BD0A63

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 5a38e1539271cc81b368cf2130ca3ed3fe35b68f98a02665150cb9f8726b41fa
Instruction ID: 448559158bb4af7f10151a73f395ce2f86a7dfef670e4c6528a89d8329e75456
Opcode Fuzzy Hash: 5a38e1539271cc81b368cf2130ca3ed3fe35b68f98a02665150cb9f8726b41fa
Instruction Fuzzy Hash: E221A671500344AEEB20DB61CC84FAAF7ECEF04714F14445AFA499B681D7B5A5498B71

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0D10 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 00BD0DB6

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 68263a15593459ab5fe930dc4d7b7b473303e0bd2cc549f28e6fa77d6226cfa0
Instruction ID: cef7575082307ca89efb45a78af9723a4fc8762eb58f022a64fbec2f3f1e40f3
Opcode Fuzzy Hash: 68263a15593459ab5fe930dc4d7b7b473303e0bd2cc549f28e6fa77d6226cfa0
Instruction Fuzzy Hash: CC319E7150E3C06FD312CB258C55B66BFB8EF47610F1980DBE884CF6A3D225A948C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0080A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080A40C

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6669c1d72cd83ce29e473d3a224aa5d60aceeb10595335a063ef511296cead6e
Instruction ID: c60f5e6123cc77dd50f4e4850644fca55f56029947fe9c4c9fb5ec8959af1ca8
Opcode Fuzzy Hash: 6669c1d72cd83ce29e473d3a224aa5d60aceeb10595335a063ef511296cead6e
Instruction Fuzzy Hash: 60215C76604744AFD721CB15DC84FA6BBFCEF05610F08849AE985CB292D364E948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0080B6F4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080B789

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 391eeb23a12c1d3fc98900234f0eb61051dd4a5f11c68d4379f01b9ba4710556
Instruction ID: 779d664a7294f71f08306c9c6b8d9d48c6d41347d04507c4cc39794afb929bd2
Opcode Fuzzy Hash: 391eeb23a12c1d3fc98900234f0eb61051dd4a5f11c68d4379f01b9ba4710556
Instruction Fuzzy Hash: 5321F8B55097806FD7128B21DC85BA2BFBCEF47724F0980D6E9848B293D264A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 00BD201D Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 00BD20AC

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 147a93a0a14f674c0fea97f2d848c1ea15b93a49eab912019af820f6cbb59b8b
Instruction ID: 1c9e8cc1ca7a38e441f9ba07678c575cb55c4140bce4ea5e08c15d7cf3627a86
Opcode Fuzzy Hash: 147a93a0a14f674c0fea97f2d848c1ea15b93a49eab912019af820f6cbb59b8b
Instruction Fuzzy Hash: 9F216F755093849FDB12CF25CC84B52FFF8EF16310F0884DAE984CB262E265E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD23F5 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD247C

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 5a3298eb828260dcd678339de62c1e2a8b0d72ee270d56d7f9f7088176234405
Instruction ID: cb8bd6e76c24c11f038c9b3affbe64e3f2d7d39463c7908bba9241768c83d8ab
Opcode Fuzzy Hash: 5a3298eb828260dcd678339de62c1e2a8b0d72ee270d56d7f9f7088176234405
Instruction Fuzzy Hash: 7621B6755093846FE712CB24DC85B96BFF8EF46314F0884DBE984CF292D264A908C775

Uniqueness

Uniqueness Score: -1.00%

Function 0080BC3E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0080BCCA

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 9be30b530840630a28eb07fb5ec962d5721213a732af0e178f97ec7eaf2bd72a
Instruction ID: 0a020f086f25fbd2192c00187d8a8674ebe76cdab625c9ccff17dfcc08a65dd4
Opcode Fuzzy Hash: 9be30b530840630a28eb07fb5ec962d5721213a732af0e178f97ec7eaf2bd72a
Instruction Fuzzy Hash: 38217171505380AFD721CF55DC45B96FFB8EF05210F04889EE9858B652D375A418CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0080A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080A4F8

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf6a82382d998b82485eb64bcde97d39b5e637f7486ecdd3d2744e4a61e2927f
Instruction ID: daa4cec4ce1cfa4716f84f19a35b72d1ced0ff92cc8586dbb66491b30604f88c
Opcode Fuzzy Hash: cf6a82382d998b82485eb64bcde97d39b5e637f7486ecdd3d2744e4a61e2927f
Instruction Fuzzy Hash: 1B21B0761047806FD722CF51CC84FA7BFB8EF06210F08849AE985CB692C364E848C776

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0346 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 00BD03DA

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c4d5f4f39d17b09a5ace482a9f44dccc3049cb4265b3a3f4f2a7cb4cf066b342
Instruction ID: 2f57d27476b215ba5e58efc1485f27240156912c946f669072a896e00a1c7cb4
Opcode Fuzzy Hash: c4d5f4f39d17b09a5ace482a9f44dccc3049cb4265b3a3f4f2a7cb4cf066b342
Instruction Fuzzy Hash: 9E21B171505384AFE722CB55CC85F96FFF8EF09224F04849EE9898B252D375A908CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0080B61E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0080B69D

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 913e168aaccd54d01d9500803c77c4927b16e09f8758111f78129c5ea9eb1778
Instruction ID: 3273f8c1fbb4aedcd23abd9b865cc98b41aab6fa42d863ca9af5111a43c60371
Opcode Fuzzy Hash: 913e168aaccd54d01d9500803c77c4927b16e09f8758111f78129c5ea9eb1778
Instruction Fuzzy Hash: AE217F71600244AFEB20CF65CD85B66FBE8FF18714F048469E9458B691D372E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BD01B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 00BD0227

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 84ac54689c5c3434a664c12d0e0ad9f0e250fa876fb953c182abeb2c28d43b12
Instruction ID: a0779e359dde648b35ddbd8d88f396ccdb96c89855ee91f63b99217ab63861b0
Opcode Fuzzy Hash: 84ac54689c5c3434a664c12d0e0ad9f0e250fa876fb953c182abeb2c28d43b12
Instruction Fuzzy Hash: CC21C272600244AFEB20DB65DC85FAAFBECEF04714F04849AE944DB741E374E9088A72

Uniqueness

Uniqueness Score: -1.00%

Function 00BD20EC Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00BD2172

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 19894480659c2eb2726d820665e37a0f6340865422ba75b62899f68a5d5c10e4
Instruction ID: abd8f1619bc46bdc47cf29ed95d5c2a292e5620ae85229e60997c4a114b914a3
Opcode Fuzzy Hash: 19894480659c2eb2726d820665e37a0f6340865422ba75b62899f68a5d5c10e4
Instruction Fuzzy Hash: A32181B26093C05FDB12CB25DC50B52BFA8EF56314F08C4DAE988DB253E225E809C761

Uniqueness

Uniqueness Score: -1.00%

Function 00BD00AA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD013C

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 98fb8172ab4a6d3f7c8cc1d83c790772813c4f140e43702ad5c25d9e42d99511
Instruction ID: 4c9a9d3a8e605f0ac003a52cfca83ddd7ce7f4da3484d55e021eff37e3537943
Opcode Fuzzy Hash: 98fb8172ab4a6d3f7c8cc1d83c790772813c4f140e43702ad5c25d9e42d99511
Instruction Fuzzy Hash: 7E219A72505784AFD722CB11CC84FA7FBF8EF05710F08849AE9859B292D364E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0080A7FA Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0080A879

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6496de2c1ff96916743252bd7b74b57860e331f428362309f2ee81ce3a7e8c7a
Instruction ID: ad33a4ba9ec9180b3ff5e6b5722495a23f8d32cc9d60b1e03727429861e6dac6
Opcode Fuzzy Hash: 6496de2c1ff96916743252bd7b74b57860e331f428362309f2ee81ce3a7e8c7a
Instruction Fuzzy Hash: 0621A172600304AEE720DB55CC84FABFBECEF08714F04846AE945CB691D764E94D8AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD24DF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD255B

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 59666b410410334c1dacbca0f04018397d68c028d265bca03103ed33e59a827f
Instruction ID: 15dcf476ff6c1408426525c799e20b7299df1cc970c49bd5a727263f4e2bbd3c
Opcode Fuzzy Hash: 59666b410410334c1dacbca0f04018397d68c028d265bca03103ed33e59a827f
Instruction Fuzzy Hash: D321C2715093806FE711CB21DC85F9ABFA8EF46214F08849BE9858B252D364A908CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00BD25C3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD263F

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 59666b410410334c1dacbca0f04018397d68c028d265bca03103ed33e59a827f
Instruction ID: e3567d492652a94b2043a0f45c46471812f001b306b75c9eca082d68c9f2f108
Opcode Fuzzy Hash: 59666b410410334c1dacbca0f04018397d68c028d265bca03103ed33e59a827f
Instruction Fuzzy Hash: 6621D4715093806FDB11CB21CC84F9AFFB8EF06314F08849BE985CB292D364A908CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0080A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0080A6B9

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bb69506e3b839b2d6d6df76213df280f62a92e0266d661d64b20da4864438563
Instruction ID: d533a50b50d0f6cd3d19736d8c397000d1ea95c66a84109c210b29f1f988c8cf
Opcode Fuzzy Hash: bb69506e3b839b2d6d6df76213df280f62a92e0266d661d64b20da4864438563
Instruction Fuzzy Hash: 4F2180716043449FE720CB65CD85BA6FBE8EF14714F088469ED49CB781D371E809CA76

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3796 Relevance: 1.6, APIs: 1, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD381C

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: b58867bd10b8edd9eaaf5fba7bef423cf96ee7bd0870192204073817038db79c
Instruction ID: 5fe9b11d0c4f50328e8f45e51f17264ff2021634477f6b5530f52184b6c83860
Opcode Fuzzy Hash: b58867bd10b8edd9eaaf5fba7bef423cf96ee7bd0870192204073817038db79c
Instruction Fuzzy Hash: F121C3715093806FD722CB51DC85FA6FFF8EF46610F0880DBE9848B693D264A948C776

Uniqueness

Uniqueness Score: -1.00%

Function 0080A140 Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0080A1C1

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 680462745c17ced09fb0fdb3013cf9b92b47b21bf3a3afcd957a2de50f10e118
Instruction ID: d1d17148dcf2427582cf1fa6c0e0f384caebeecebb990243301ac1a9223908e5
Opcode Fuzzy Hash: 680462745c17ced09fb0fdb3013cf9b92b47b21bf3a3afcd957a2de50f10e118
Instruction Fuzzy Hash: 3A219D7150D3C09FDB228B619C94A52BFB4EF07320F0984DBD9858F1A3C269A819CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0080B9D6 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080BA55

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 63d1727dd990de71f43aa2f6df7c6faa15cd29bba98d66c64d17ace809fe3322
Instruction ID: 47e67770e77b0f29bb715458f4ff13841a85fb468a9a8bff42bcc1dd4ae75d1d
Opcode Fuzzy Hash: 63d1727dd990de71f43aa2f6df7c6faa15cd29bba98d66c64d17ace809fe3322
Instruction Fuzzy Hash: 5421A471505380AFDB22CF51DC84F97BFB8EF45310F08849AE9859B152C365A908CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0080A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080A40C

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 544719735593773778c937e281c72df435e29e195e00b00aadb874c676fbc390
Instruction ID: 6bc48108f118706dc9084b43364079f2abc7685f3104c14aba34851e4d930d0a
Opcode Fuzzy Hash: 544719735593773778c937e281c72df435e29e195e00b00aadb874c676fbc390
Instruction Fuzzy Hash: 68218C76600704AFEB60CF15CC84FA6B7ECEF04714F08845AE945CB691D3A0E949CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1F57 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD1FD3

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 453ecd52354161745996dbbec74fb7e78abe9bda4de7cf2db5a280cd199de412
Instruction ID: 27d007f086fcd59bfa6ab1e8613bbc0124b8e3a64081a8e1aa69915feb3eada6
Opcode Fuzzy Hash: 453ecd52354161745996dbbec74fb7e78abe9bda4de7cf2db5a280cd199de412
Instruction Fuzzy Hash: FE21A1715093846FD722CF50CC84F96FFB8EF46314F08849BE9889B252D364A908C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0080A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0080A780

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: efb2f32bc6b29a42509fb02bcf9e769fb766db684ee53672759db15d3fa517be
Instruction ID: 13017776b759932cf6464832b7c0c3f7dc3713eaa3c9ae6392a28e7944a862c0
Opcode Fuzzy Hash: efb2f32bc6b29a42509fb02bcf9e769fb766db684ee53672759db15d3fa517be
Instruction Fuzzy Hash: 2E21D5B55093809FDB12CF25DD85792BFB8EF02320F0884EADD858B253D3359909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0080BD23 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0080BDA0

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: ca13932c36de74a5bc12d7c0ea293fa4bcd612d45cfe3421215caca412cdcd79
Instruction ID: 70396f8a1aac51e2aa1933be3c0aecd4130a1a7d2fd820e668ed05a171232605
Opcode Fuzzy Hash: ca13932c36de74a5bc12d7c0ea293fa4bcd612d45cfe3421215caca412cdcd79
Instruction Fuzzy Hash: 082159724093C09FDB128F65DC95A92BFB4EF07320F0985DAD9C58F163C225A859DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0080BC5E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0080BCCA

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 9e26a1915f61f6a2e6ebe60f027f3d2c72c2a9fb94c6d1b4cc98bd8076353c44
Instruction ID: 2970ff631796f3d32bd66b6272a11d627f1c1ffdc0dba821f18780dd6bcd7175
Opcode Fuzzy Hash: 9e26a1915f61f6a2e6ebe60f027f3d2c72c2a9fb94c6d1b4cc98bd8076353c44
Instruction Fuzzy Hash: DC21BE71500244AFEB21CF65CD84BA6FBE8EF08324F14885AE9858B691D375A408CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0B6E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00BD0BEA

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: a3824bf7cd33fb84d7736a40a05a7643830dc2c47ddda35cbf539f5c2a6bc39b
Instruction ID: 90ec049e074838a26d756501d8721f23044648cc791531614ffc505e99d7bf31
Opcode Fuzzy Hash: a3824bf7cd33fb84d7736a40a05a7643830dc2c47ddda35cbf539f5c2a6bc39b
Instruction Fuzzy Hash: 98219271508784AFDB22CF65DC84B52FFF4EF06310F0885DAE9858B262D375A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0366 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 00BD03DA

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c63f485e897c8a931b39936262c67548e3e4889c6190f79a3d910a4c0fdbcbc4
Instruction ID: d8dbe1a188bb452afaee8ee9148cd8308e2b1440838ff49caa4bc89736582c6c
Opcode Fuzzy Hash: c63f485e897c8a931b39936262c67548e3e4889c6190f79a3d910a4c0fdbcbc4
Instruction Fuzzy Hash: 6421CF71500244AFE721DF15CD85FAAFBE8EF08324F04849AEA498B741D375E408CB76

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0FD2 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 00BD105B

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 006ae09bbe0d604eba9aa7716e414cdbec565722be118c87aa1899e1b9b38831
Instruction ID: 5fd2769c0144542d7861f9615338f6e8e573779bc0b2c7ac0e4e119c69bb2e69
Opcode Fuzzy Hash: 006ae09bbe0d604eba9aa7716e414cdbec565722be118c87aa1899e1b9b38831
Instruction Fuzzy Hash: 1811E4711043806FE721CB15CC85FA6FFB8DF05720F04809AF9889B292D2A4A948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0080A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080A4F8

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 389f362db8cc1352223ec1c4ec7ab88dd6c19b89807a442f84daf0d0896c86d7
Instruction ID: 15f5f7ea7ff211aaafaa6886b33287188ba1cebd1e4abbefa82ea4d174a2accc
Opcode Fuzzy Hash: 389f362db8cc1352223ec1c4ec7ab88dd6c19b89807a442f84daf0d0896c86d7
Instruction Fuzzy Hash: A011B176600704AFEB20CE51CC85FA6BBECFF04714F04845AED45CA681D360E8488AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD00CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD013C

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cdd6fbc65ff1b9c1532ec41b5a9a61fa0b9d8a05e93ae40676e4e067b57f6a3e
Instruction ID: f933a435cee9b9deebaab9051712fc3606a39d4fa809947774a42d7ff0fa250d
Opcode Fuzzy Hash: cdd6fbc65ff1b9c1532ec41b5a9a61fa0b9d8a05e93ae40676e4e067b57f6a3e
Instruction Fuzzy Hash: BD117F76600604AFE721DF15CC85FA7F7E8EF04710F04849AEA459B751E360E948CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2E09 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00BD2E85

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 79db4d3f9bb7097d4ab96f32a9ba17a0600fd26fb60f7d5c970d6c0061373035
Instruction ID: 792e52537e8b0ccb93b5d4e36fd605025b1cc64af23d2424ef4da1215c953eb1
Opcode Fuzzy Hash: 79db4d3f9bb7097d4ab96f32a9ba17a0600fd26fb60f7d5c970d6c0061373035
Instruction Fuzzy Hash: 732181755093809FDB228B15DC84B52FFF8EF56710F0880CAE984CB252E265A808C761

Uniqueness

Uniqueness Score: -1.00%

Function 00BD08D2 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD0931

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 9781e8db8bd34dfb058027a89a31fee93dcaf785975e6c17fcbce92870364016
Instruction ID: 9834d5ae7ce005e8ec356201971370691179a0cc6ef3737f7547583dca1a787a
Opcode Fuzzy Hash: 9781e8db8bd34dfb058027a89a31fee93dcaf785975e6c17fcbce92870364016
Instruction Fuzzy Hash: F111E972600204AFEB21DF55DD84BAAFBE8EF04714F04845AE9458B651D374E448CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00BD25E6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD263F

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: ad0ac40042cd4577dc6e35ae2af4dbf3888fe4b211e3e71bd7dde8f20c938d49
Instruction ID: 8720ddb527b8d974d1b7be846d0b3487e8c8a6a1a689887d96624fd061eb5a60
Opcode Fuzzy Hash: ad0ac40042cd4577dc6e35ae2af4dbf3888fe4b211e3e71bd7dde8f20c938d49
Instruction Fuzzy Hash: BA11B271600344AFEB10CF55DD84BAAFBE8EF14724F0884AAE9458B641D774E8488AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3ADD Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BD3B51

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4f6293f1c30644d7fd5019a353e3cd08d00f21e9c5fa591a5ab0acbe528a3ab5
Instruction ID: 4cbecfa0b0840e357a19e4e4dd0e8bc254d9d9ffc9d085724e15ccc206f41a5a
Opcode Fuzzy Hash: 4f6293f1c30644d7fd5019a353e3cd08d00f21e9c5fa591a5ab0acbe528a3ab5
Instruction Fuzzy Hash: 8B218C7140A3C09FDB128B25CC84A52FFB4EF17210F0984DBE9C48B263D265A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2502 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD255B

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: ad0ac40042cd4577dc6e35ae2af4dbf3888fe4b211e3e71bd7dde8f20c938d49
Instruction ID: a7fe5841166fd41e7a02d35843e4094c6bd11ffcd981a0b98a6e156ae79f5684
Opcode Fuzzy Hash: ad0ac40042cd4577dc6e35ae2af4dbf3888fe4b211e3e71bd7dde8f20c938d49
Instruction Fuzzy Hash: F011C471600244AFEB10CF55DC85FAAFBE8EF54724F0484ABED458B741D374E8488AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0080AC03 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0080AC6E

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e43cfd98b33ad3eead60af0f7b9513a01471ea176640d4a54130013af8de1a61
Instruction ID: 6e7f290cec2ef017bcaff3856a0a2783aa3782150d5db281cce148be7ca28fd0
Opcode Fuzzy Hash: e43cfd98b33ad3eead60af0f7b9513a01471ea176640d4a54130013af8de1a61
Instruction Fuzzy Hash: 66117271509780AFDB228F51DC44B62FFF4EF4A314F0884DAED858B562C275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2426 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD247C

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: d9d2ed7729028371ca7391e3793f78ba68edfdddfc645e3091a1bd2b92da581c
Instruction ID: bfe87ac671885014947d76e7330db9c46cb6eacbe4a21722c251f1114785c459
Opcode Fuzzy Hash: d9d2ed7729028371ca7391e3793f78ba68edfdddfc645e3091a1bd2b92da581c
Instruction Fuzzy Hash: B811E775600244AFEB10CB15DC85BAAF7D8EF04724F0484AAEE49CB741D374A8488AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0080B9F6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080BA55

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 64f90e283d3edce447424da1d64d0dbd24776df61cda0e479de8c705cc8c22a2
Instruction ID: 122f33c0cdb40397ce127e7c18fcdfd0b40de9744633a4dad592b5f863a5dfb4
Opcode Fuzzy Hash: 64f90e283d3edce447424da1d64d0dbd24776df61cda0e479de8c705cc8c22a2
Instruction Fuzzy Hash: 9D112772600304AFEB21CF50CC80FAAFBE8EF04724F04845AED499B641C375A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0006 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 00BD0082

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 56596d1c2dacf273287d2993e57c2777b8d3a08e080b0cfc4f45cac9af671d8d
Instruction ID: 7273404cfccdd582edf5ed04231d18652424d0d19f9848b07f831d070a66ed6a
Opcode Fuzzy Hash: 56596d1c2dacf273287d2993e57c2777b8d3a08e080b0cfc4f45cac9af671d8d
Instruction Fuzzy Hash: A911C8755093806FC311CB15CC45F66FFB4EF86610F19819FE8889B693D225B919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1F7A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD1FD3

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 8f09767a0a11a09efdc5b28bd96188fda318346537bca661edaa0252e78b1bd9
Instruction ID: aa85676a917af0f424b45622b452e1d84c9915315b1a7e6630d35ecce1b53d75
Opcode Fuzzy Hash: 8f09767a0a11a09efdc5b28bd96188fda318346537bca661edaa0252e78b1bd9
Instruction Fuzzy Hash: AA11E371600244AFEB21CF55CD84BAAFBE8EF04724F0484AAED488B741D374A448CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD37BE Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 00BD381C

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 707946d6be3fd65192459601db6e00327e6b163708d4870c28933e419a624572
Instruction ID: 9c5123602a894b88cd2b907fe8bd4aca0924a12eec23799cab3361f5fc79cc09
Opcode Fuzzy Hash: 707946d6be3fd65192459601db6e00327e6b163708d4870c28933e419a624572
Instruction Fuzzy Hash: 1811C671600244AEE720CB15DC85BA6FBDCDF04B24F048097ED459B742E365E9488BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0080A2AE Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0080A30C

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4bf80af13f79bdde4e17fd29b7fac9afcf75232d189e03d3eb6c493f093d5b00
Instruction ID: 19d411b5330c634069fb38d7374f8c8d981478346b0618de0ff86a951b74b518
Opcode Fuzzy Hash: 4bf80af13f79bdde4e17fd29b7fac9afcf75232d189e03d3eb6c493f093d5b00
Instruction Fuzzy Hash: 29118F754093C06FDB228B25DC94662BFB4EF47620F0980DBED848B2A3D2656818C772

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0FF2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 00BD105B

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b3c08d10ed531d832c6fe9db3fa9dc88cb9056d8b21a02df4332f7dd930d0b39
Instruction ID: 3bf276d45eb4677a5660806ba2a907a14031637632bbe954d5ac7c4312e5598e
Opcode Fuzzy Hash: b3c08d10ed531d832c6fe9db3fa9dc88cb9056d8b21a02df4332f7dd930d0b39
Instruction Fuzzy Hash: EA11E971600244AFE720DB15DD81FB6FBE8DF04714F14849AEE445B781D3B5A94C8AA6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3EDD Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BD3F3D

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 12d37d25026c19bed5d8c49a6a7912b937ab49359748ed8b807f54cd41e08374
Instruction ID: 42221aa4d055723a1d4ab1a70893d67719918f6d3e05a655ada1009607053031
Opcode Fuzzy Hash: 12d37d25026c19bed5d8c49a6a7912b937ab49359748ed8b807f54cd41e08374
Instruction Fuzzy Hash: F9110475509780AFDB228F11DC84A52FFF4EF06320F0880DEED858B663D261A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2056 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 00BD20AC

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 9fb9fa5c3dfd441082b666ae1ff104ff7b76817d959bce3e7b2fadc73397eb42
Instruction ID: d4fdd4224296937ddf59b1dfedd6b3a261b9cf6032c84c93117e6b6c6ac981bc
Opcode Fuzzy Hash: 9fb9fa5c3dfd441082b666ae1ff104ff7b76817d959bce3e7b2fadc73397eb42
Instruction Fuzzy Hash: 01114C756002449FDB20CF65D984B66FBE8EF18720F0884ABDD49CB752E375E848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0080AD9F Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0080AE00

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: adaa343f7eaee562c661bf999878ea29803e1fb55f8dd76dc2884b39cd38640d
Instruction ID: b70be4986511cbf7efc12efd8eff2d82ad23badc77c7eccddd14347957b1e17c
Opcode Fuzzy Hash: adaa343f7eaee562c661bf999878ea29803e1fb55f8dd76dc2884b39cd38640d
Instruction Fuzzy Hash: 99116D755493849FDB12CB15DC89B52BFB4EF06224F0884DAED858B293D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD212A Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00BD2172

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a75290e45f525e0ce3a77afb672e18a3191d2e9d69829f262b8b9fb66bf3e0f0
Instruction ID: 372b13057da05ea8f325ef692cffba7e6e1256d9a5c97e1a445d687c0d8809af
Opcode Fuzzy Hash: a75290e45f525e0ce3a77afb672e18a3191d2e9d69829f262b8b9fb66bf3e0f0
Instruction Fuzzy Hash: 0811A1726002409FEB10CF25DD84B66FBE8EF15720F08C4AADE49DB741E371E808CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0080B736 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,992EDC6F,00000000,00000000,00000000,00000000), ref: 0080B789

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3f59d07c388c973f7e318efda83d262ae63c2814c4b14c5b93e41346fd5ca6e7
Instruction ID: c11df8854599d7f66770d29b0397042b73ceddcf17b4581434b488de1941c73a
Opcode Fuzzy Hash: 3f59d07c388c973f7e318efda83d262ae63c2814c4b14c5b93e41346fd5ca6e7
Instruction Fuzzy Hash: 2301C075600244AFE720CB15DD84FAAFBE8EF44724F148096EE489B781D364E94C8AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0B9E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00BD0BEA

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 3e9944963c63864484e61928f2c46c147f3dcc701b6e23c7e200447a68523064
Instruction ID: 542c5fd70ab8d3bbfa7f7496fddb4b6a75967c5c9365c116a0b99af8476c5303
Opcode Fuzzy Hash: 3e9944963c63864484e61928f2c46c147f3dcc701b6e23c7e200447a68523064
Instruction Fuzzy Hash: FB11C2315046049FDB20CF55C984B62FBE4EF08310F0885ABDD858B711D335E458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3D90 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00BD3DE4

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 64f91027b4feb343a7f07cc656c91f2b036a2fbb3901b1ad6989dd7d183e8ccb
Instruction ID: 2c3b4ebfe33ac4ab5c3c5ea28185d5c1652b53d0556ff0881dbdd9060d07b15a
Opcode Fuzzy Hash: 64f91027b4feb343a7f07cc656c91f2b036a2fbb3901b1ad6989dd7d183e8ccb
Instruction Fuzzy Hash: FD1165755093849FDB128F15DC84B62FFF4DF46625F0880DAED858B253D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0D66 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 00BD0DB6

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 310d954a350bc9e5267adf270a93978d5a835ed062e006cdf3d1cf6fe27857f5
Instruction ID: 2e45325bdf9b6108d7719e8e5a58302ecacc201283076581980e84819dadfdd7
Opcode Fuzzy Hash: 310d954a350bc9e5267adf270a93978d5a835ed062e006cdf3d1cf6fe27857f5
Instruction Fuzzy Hash: EC01B171600200ABD310DF16CD85B66FBE8FB88B20F14811AEC089B741D731F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BD2E3A Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00BD2E85

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 225b78fdef582825afecb9887b69bc57953c08f5f6b14b4c8caa00119b70cac5
Instruction ID: 4069375d5667beefa5592a991575a6c6bdd588bed6ac583ed1a9411752c47cef
Opcode Fuzzy Hash: 225b78fdef582825afecb9887b69bc57953c08f5f6b14b4c8caa00119b70cac5
Instruction Fuzzy Hash: AB0192756002409FDB20CF15D985B22FBE8EF24720F08C09ADD458B751E371E808CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0080AC2A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0080AC6E

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: af800a5149bcf3d170a31c376d29b321515c0a42c83954cac17bb4ac5168c4ca
Instruction ID: 428db3ef54b73f254c0e1890d2b2ad006176ef44e085046f10b45bf4d6edb757
Opcode Fuzzy Hash: af800a5149bcf3d170a31c376d29b321515c0a42c83954cac17bb4ac5168c4ca
Instruction Fuzzy Hash: 35015B325007049FEB61CF55DD84B62FBE4FF48724F08889ADE898A651C376E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0080BBC2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 0080BC12

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3948fe4745d054faa40697bcdbe05957737af289521e0b2a8afa3cf9a59ab580
Instruction ID: 734cda91b2b0985ba98e5fbde7c7b03d0bbb2c18f5e933ff1a5e06f102ecab3e
Opcode Fuzzy Hash: 3948fe4745d054faa40697bcdbe05957737af289521e0b2a8afa3cf9a59ab580
Instruction Fuzzy Hash: FD01D671600600ABD310DF16CD86B66FBE8FB88B20F14811AEC089BB41D771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0080A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0080A780

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9f9f12c10652c54e27573518a7a493e57b3380c9796ee5bd1a31374c504f51d3
Instruction ID: c49a70ff7116db45706098197a6d40f52eb2c4396b06992ec266cb6a01801481
Opcode Fuzzy Hash: 9f9f12c10652c54e27573518a7a493e57b3380c9796ee5bd1a31374c504f51d3
Instruction Fuzzy Hash: 0C01BC756003048FDB50CF25D984766FBE4EF04724F08C4AADD89CB682D375E848CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0080BD62 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0080BDA0

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 55b5c0246ca5e876b33d805fe693bec288a3fe0c740dd7fb8261d0491a9bfa70
Instruction ID: d0bf64b6deb1875c6fe848e6bdf9f68ed92f4ad73f80dc163133a27ec8ed43c8
Opcode Fuzzy Hash: 55b5c0246ca5e876b33d805fe693bec288a3fe0c740dd7fb8261d0491a9bfa70
Instruction Fuzzy Hash: EC018C365042449FDB20CF55D984B66FBE4FF08724F08849ADE898B652C376A458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BD0032 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E24,?,?), ref: 00BD0082

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: a1faf9859555885d9c9be605d8c86d3e6c78adb8571d9cc687af167cf2512dd5
Instruction ID: 1c5ddf9323d7f45e0991a6fc672279a15509d579b4fe8f2e1d3b350d7fa1701a
Opcode Fuzzy Hash: a1faf9859555885d9c9be605d8c86d3e6c78adb8571d9cc687af167cf2512dd5
Instruction Fuzzy Hash: 7401D171600600ABD310DF16CD86B66FBE8FB88A20F24815AEC089BB41D771F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0080A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0080A1C1

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6d564e37417d44040efe69597d778a208a3b7bde83de6f3d68f93cb2745a4750
Instruction ID: 9de076d448714b758537ff99bb8bd46f9cc8bd88b0e425f8ba7f292d6831e698
Opcode Fuzzy Hash: 6d564e37417d44040efe69597d778a208a3b7bde83de6f3d68f93cb2745a4750
Instruction Fuzzy Hash: 8F019E325043449FDB60CF55DD84B62FBE4FF04724F08849ADD8A8B651C375A458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3F02 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BD3F3D

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 04c34d89d4a5a810f42870aaff1c3767eea839b27a304b9051db18d7e61d24bf
Instruction ID: a5484879603f177a18aef3dfa6c40aa978c1838ee430aa510ba2223436ee0bad
Opcode Fuzzy Hash: 04c34d89d4a5a810f42870aaff1c3767eea839b27a304b9051db18d7e61d24bf
Instruction Fuzzy Hash: 0601B136A006049FDB208F15D984B65FBE4EF04B20F08C09EDD854B762D371E958DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0080ADCE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0080AE00

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: e50119b6674afe02f919c4a7a99e36868ead7ab99c4ec15f16158347fb1eb679
Instruction ID: 6e690bd96549c2a39c384ba44b364fe321f0bf2f4e54e02197ce9e49656ad8fe
Opcode Fuzzy Hash: e50119b6674afe02f919c4a7a99e36868ead7ab99c4ec15f16158347fb1eb679
Instruction Fuzzy Hash: AC01AD75A043449FDB50CF15D989762FBE4EF04724F08C4AADD498F692D375A448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3B16 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BD3B51

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b73338ddc3bd758c8f3732ab53c12552306e4fde9d85cf4cfffb11bcec2dba8e
Instruction ID: a14c17871c2ac8abf2abc0fb4198cf74cec983fd7402f8fa273d2895b3f48d24
Opcode Fuzzy Hash: b73338ddc3bd758c8f3732ab53c12552306e4fde9d85cf4cfffb11bcec2dba8e
Instruction Fuzzy Hash: 62017C755047049FDB20CF15D984B61FBE0EF08B20F08C09BDE850A762D375A558DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0080A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0080A30C

Memory Dump Source

Source File: 00000000.00000002.3089942653.000000000080A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80a000_bUHF.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e9cf65a3e70cc4e17f4364b40ce32077d566a59177e7848f8eef5f4f66afefa7
Instruction ID: 973637b304d9e95590a4e0cdd72d596e8387d408dcf0069072d2c45e71455410
Opcode Fuzzy Hash: e9cf65a3e70cc4e17f4364b40ce32077d566a59177e7848f8eef5f4f66afefa7
Instruction Fuzzy Hash: 03F08C356043449FDB60CF05D985761FBE4EF04724F08C09ADD498B796D3B5A858CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3DB2 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00BD3DE4

Memory Dump Source

Source File: 00000000.00000002.3090726082.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_bUHF.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 78c93f3ced2187260824923e5f2665c0cd9c75b09be784ac065f72a0c74119ec
Instruction ID: f60d0f9aae7770c79d80441a51a82cf866f1dcb585097f6cf0000be0aa01c4eb
Opcode Fuzzy Hash: 78c93f3ced2187260824923e5f2665c0cd9c75b09be784ac065f72a0c74119ec
Instruction Fuzzy Hash: B2F08C356006449FDB10CF16D985761FBE4EF04B24F08C0EADD494B752E279A948CEA3

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1C60 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3092653509.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48be1de6ea3baf716e182427795f0b6ec47905bb67f93efd4b29fcd2ebfe396d
Instruction ID: 29d2bde20034119b14be066bf972545bc1cc6f4286de787618b9872370e41b2c
Opcode Fuzzy Hash: 48be1de6ea3baf716e182427795f0b6ec47905bb67f93efd4b29fcd2ebfe396d
Instruction Fuzzy Hash: A111BAB5A08341AFD340CF19D980A5BFBE4FB88664F04895EF998D7311D231E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A107C4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3090419889.0000000000A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56472681e8516d0a71698ced3e6d43c57f26004f2ef3bfc554e79d726314eca
Instruction ID: c5d2e732b5e07dd914613a0715ab83b2c047c21bce63ce3029f9b8878c96ea4a
Opcode Fuzzy Hash: f56472681e8516d0a71698ced3e6d43c57f26004f2ef3bfc554e79d726314eca
Instruction Fuzzy Hash: 1A11E430208280DFC715CB10D540F66BBA5EB88718F24C9ACE5495BB93C7B7D887CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0081ADEC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3090063672.000000000081A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81a000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46d301baba90f1aeb9999b1cb053679edf684378f15536664342896742ad638
Instruction ID: ea1f2851aaa7e4ea6612cfadac5fc92a4565584a23ce6a0b08ba8e1e2baeb706
Opcode Fuzzy Hash: a46d301baba90f1aeb9999b1cb053679edf684378f15536664342896742ad638
Instruction Fuzzy Hash: 78110CB5A08301AFD350CF09DD80E57FBE8FB88660F04895EF99997311D271E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1B04 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3092653509.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13074c124bb4ffbdc6d8b9942aaae64fcda76d974e140f4fb53bb892e95b223c
Instruction ID: 5745a3d7c60e42c3ec846b388608bf3d5c93c929aac45e4fc0e6b49881785bd0
Opcode Fuzzy Hash: 13074c124bb4ffbdc6d8b9942aaae64fcda76d974e140f4fb53bb892e95b223c
Instruction Fuzzy Hash: 451100B5608301AFD750CF09DD80E57FBE8EB88760F04885EF99897311D271E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A107A3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3090419889.0000000000A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3858fb8f78b5f032b9e5644e276b96d3ff0d8ba2b3205a2d93b3b6ad8b2870
Instruction ID: a9825fbede633ead557e0fc1170b0a86fcbc65f35f7c54e82e9a94ee9833ba3c
Opcode Fuzzy Hash: 0d3858fb8f78b5f032b9e5644e276b96d3ff0d8ba2b3205a2d93b3b6ad8b2870
Instruction Fuzzy Hash: E8112E3150D3C0DFC702CB20C990B55BFB1AB86718F2886EED4895B6A3C37A9847CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A105EC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3090419889.0000000000A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b5f04741acf730d134ff57afb309bb84cfd07aa2154933cd0bc26d8bd13f2b
Instruction ID: 98166d9c466d04c04f413b081ebe22dc06613c59dece285bd70997a5e6edb0de
Opcode Fuzzy Hash: 32b5f04741acf730d134ff57afb309bb84cfd07aa2154933cd0bc26d8bd13f2b
Instruction Fuzzy Hash: 6AF0C8765097806FC711CB06AC40893FFE8DF8663070884ABEC8987611C125B908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A10880 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3090419889.0000000000A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53963eade7438ca410e32634de66363e024afaa3f40a7da14d248b9d76a52dc3
Instruction ID: e295481fff40b582026c17603b534570ef4f07bda4727f2111928aaaf0c0d419
Opcode Fuzzy Hash: 53963eade7438ca410e32634de66363e024afaa3f40a7da14d248b9d76a52dc3
Instruction Fuzzy Hash: 27F0FB35108684DFC305CF04D540F55FBA2EB89718F24CAADE94917A62C777E852DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00A10606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3090419889.0000000000A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ad66f104149a9002254d54cc6939602f54e0ac37169c9895811cba065545f
Instruction ID: df7e6d6cc8af2b5ea3133d816cc4303af26633460ad9015ff8d632de03228320
Opcode Fuzzy Hash: 950ad66f104149a9002254d54cc6939602f54e0ac37169c9895811cba065545f
Instruction Fuzzy Hash: EAE092B66006044BD650CF0AED81452F7D8EB88630B48C07FDC4D8B711D275B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0081AE3B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3090063672.000000000081A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_81a000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f65a63f2d99f78b38ada7176f6afd7ca778cb49648a98d845d05b04fffbec1f
Instruction ID: c1e4e1edd0458d4aec62c027b799b72a43eb753df318502b05f09208f9ad1535
Opcode Fuzzy Hash: 7f65a63f2d99f78b38ada7176f6afd7ca778cb49648a98d845d05b04fffbec1f
Instruction Fuzzy Hash: 69E0D8B664020467D2108E069D85F62F798DB44A30F04C557EE091B702D171B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1CCB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3092653509.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce524f6f71ff7a4b42403b975660f43cb376dbe50a8bd96d56ec56f7ad876328
Instruction ID: 2ad5ee812a48a0120143c72fd1f2362b863f7d899eea399f65d830e5ff441008
Opcode Fuzzy Hash: ce524f6f71ff7a4b42403b975660f43cb376dbe50a8bd96d56ec56f7ad876328
Instruction Fuzzy Hash: EAE0D8B264030067D2108E069D85F62FBDCDB44A30F04C567EE081B742D171B51889E1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1B53 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3092653509.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aadaa1f0c17824f40ad7dd92356d0f5e781e9e93d18fff6817db113b1d0a9a8
Instruction ID: 12195500800888ed157d130530ef78455ba98b4dbcf869a852407274aff6a4ba
Opcode Fuzzy Hash: 6aadaa1f0c17824f40ad7dd92356d0f5e781e9e93d18fff6817db113b1d0a9a8
Instruction Fuzzy Hash: DCE0D8B260030467D2509E069DC5F63FBE8DB44A30F04C457EE0C1B702D172B50489F1

Uniqueness

Uniqueness Score: -1.00%

Function 04DD1577 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3092653509.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f5f0eba9fc77c38a908edb7df0f2748134b0d89c8b2983fd30246abcf168da
Instruction ID: 3b08ac1cd0eada722dd2a533fa485531461995859f28d30c3650a93109a5d451
Opcode Fuzzy Hash: 09f5f0eba9fc77c38a908edb7df0f2748134b0d89c8b2983fd30246abcf168da
Instruction Fuzzy Hash: 6FE0D8B6A0020067D210DE069D85F63FBD8DB44A30F48C457EE081B702D172B514C9E1

Uniqueness

Uniqueness Score: -1.00%

Function 008023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3089921262.0000000000802000.00000040.00000800.00020000.00000000.sdmp, Offset: 00802000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_802000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bebc3fbf2bef446841490121b93779a66ab9c332576a6f161bd1ddf1e546940
Instruction ID: 3ca64589f435a3fde6a20221d51420dc878b25691889abec7ca789e0f99ce490
Opcode Fuzzy Hash: 5bebc3fbf2bef446841490121b93779a66ab9c332576a6f161bd1ddf1e546940
Instruction Fuzzy Hash: AED05E79205AC14FD316DA1CC6A8B9537D4BB51714F4A44F9AC40CB7A3C7A8D9C5D640

Uniqueness

Uniqueness Score: -1.00%

Function 008023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3089921262.0000000000802000.00000040.00000800.00020000.00000000.sdmp, Offset: 00802000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_802000_bUHF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6e0399281cc775d7207225aa35d18825810d58e671afc52a58cbb9a5ab8551
Instruction ID: fd20cc38cd1189f0cb1a2fe66e498293ef93cdafb335351269cd4df7acbc434b
Opcode Fuzzy Hash: 8b6e0399281cc775d7207225aa35d18825810d58e671afc52a58cbb9a5ab8551
Instruction Fuzzy Hash: E1D05E342006814BCB15DA0CD6D8F5937D8BB40714F1A44E8BC10CB7B2C7B8D8C5CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bUHF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bUHF.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
bUHF.exe

Function 00A319F0 Relevance: 3.9, Strings: 2, Instructions: 1396
COMMON

Function 00A303F8 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 0080B5DE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 00BD1D7E Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Function 00A303E8 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 0080BB4B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 0080A7C7 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Function 00BD099C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 0080A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 00BD0894 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Function 00BD0190 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00BD1DAA Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON