Edit tour

Windows Analysis Report
b8UsrDOVGV.exe

Overview

General Information

Sample name:	b8UsrDOVGV.exe renamed because original name is a hash value
Original sample name:	b7dd9dd7470af783d5d955b455d58cac.exe
Analysis ID:	1369814
MD5:	b7dd9dd7470af783d5d955b455d58cac
SHA1:	bbd0c1d74c948e95f5f007102fbabcf3867a2625
SHA256:	8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Drops PE files to the startup folder

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

b8UsrDOVGV.exe (PID: 6176 cmdline: C:\Users\user\Desktop\b8UsrDOVGV.exe MD5: B7DD9DD7470AF783D5D955B455D58CAC)

Svchost.exe (PID: 6212 cmdline: "C:\Users\user\AppData\Roaming\Svchost.exe" MD5: B7DD9DD7470AF783D5D955B455D58CAC)

netsh.exe (PID: 2104 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Svchost.exe" "Svchost.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Svchost.exe (PID: 3584 cmdline: "C:\Users\user\AppData\Roaming\Svchost.exe" .. MD5: B7DD9DD7470AF783D5D955B455D58CAC)

Svchost.exe (PID: 4504 cmdline: "C:\Users\user\AppData\Roaming\Svchost.exe" .. MD5: B7DD9DD7470AF783D5D955B455D58CAC)

Svchost.exe (PID: 4176 cmdline: "C:\Users\user\AppData\Roaming\Svchost.exe" .. MD5: B7DD9DD7470AF783D5D955B455D58CAC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "2.tcp.eu.ngrok.io", "Port": "19483", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "Svchost.exe", "Install Dir": "AppData"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
b8UsrDOVGV.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
b8UsrDOVGV.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f02:$a3: Download ERROR 0x81f4:$a5: netsh firewall delete allowedprogram "
b8UsrDOVGV.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ea:$a1: netsh firewall add allowedprogram 0x82e4:$b1: [TAP] 0x828a:$b2: & exit 0x8256:$c1: md.exe /k ping 0 & del
b8UsrDOVGV.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81f4:$s1: netsh firewall delete allowedprogram 0x80ea:$s2: netsh firewall add allowedprogram 0x8254:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ede:$s4: Execute ERROR 0x7f3e:$s4: Execute ERROR 0x7f02:$s5: Download ERROR 0x829a:$s6: [kl]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f02:$a3: Download ERROR 0x81f4:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ea:$a1: netsh firewall add allowedprogram 0x82e4:$b1: [TAP] 0x828a:$b2: & exit 0x8256:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81f4:$s1: netsh firewall delete allowedprogram 0x80ea:$s2: netsh firewall add allowedprogram 0x8254:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ede:$s4: Execute ERROR 0x7f3e:$s4: Execute ERROR 0x7f02:$s5: Download ERROR 0x829a:$s6: [kl]
C:\Users\user\AppData\Roaming\Svchost.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Svchost.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f02:$a3: Download ERROR 0x81f4:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Svchost.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ea:$a1: netsh firewall add allowedprogram 0x82e4:$b1: [TAP] 0x828a:$b2: & exit 0x8256:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Roaming\Svchost.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81f4:$s1: netsh firewall delete allowedprogram 0x80ea:$s2: netsh firewall add allowedprogram 0x8254:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ede:$s4: Execute ERROR 0x7f3e:$s4: Execute ERROR 0x7f02:$s5: Download ERROR 0x829a:$s6: [kl]
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7d02:$a3: Download ERROR 0x7ff4:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7eea:$a1: netsh firewall add allowedprogram 0x80e4:$b1: [TAP] 0x808a:$b2: & exit 0x8056:$c1: md.exe /k ping 0 & del
00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: b8UsrDOVGV.exe PID: 6176	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Svchost.exe PID: 6212	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.b8UsrDOVGV.exe.4d0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.b8UsrDOVGV.exe.4d0000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7f02:$a3: Download ERROR 0x81f4:$a5: netsh firewall delete allowedprogram "
0.0.b8UsrDOVGV.exe.4d0000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80ea:$a1: netsh firewall add allowedprogram 0x82e4:$b1: [TAP] 0x828a:$b2: & exit 0x8256:$c1: md.exe /k ping 0 & del
0.0.b8UsrDOVGV.exe.4d0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81f4:$s1: netsh firewall delete allowedprogram 0x80ea:$s2: netsh firewall add allowedprogram 0x8254:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ede:$s4: Execute ERROR 0x7f3e:$s4: Execute ERROR 0x7f02:$s5: Download ERROR 0x829a:$s6: [kl]

Snort Signatures

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849740194832814860 01/04/24-15:13:45.957337
SID:	2814860
Source Port:	49740
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849743194832825563 01/04/24-15:14:11.673311
SID:	2825563
Source Port:	49743
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849742194832825564 01/04/24-15:14:08.608083
SID:	2825564
Source Port:	49742
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849742194832825563 01/04/24-15:14:03.015666
SID:	2825563
Source Port:	49742
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849741194832033132 01/04/24-15:13:48.244663
SID:	2033132
Source Port:	49741
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749736194832814856 01/04/24-15:12:39.448191
SID:	2814856
Source Port:	49736
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849738194832814856 01/04/24-15:13:14.155298
SID:	2814856
Source Port:	49738
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849743194832033132 01/04/24-15:14:11.494212
SID:	2033132
Source Port:	49743
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649750194832033132 01/04/24-15:15:39.855430
SID:	2033132
Source Port:	49750
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849739194832814856 01/04/24-15:13:28.577588
SID:	2814856
Source Port:	49739
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849740194832033132 01/04/24-15:13:40.950373
SID:	2033132
Source Port:	49740
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849743194832825564 01/04/24-15:14:16.730036
SID:	2825564
Source Port:	49743
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649750194832825564 01/04/24-15:15:56.542416
SID:	2825564
Source Port:	49750
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849743194832814860 01/04/24-15:14:16.730036
SID:	2814860
Source Port:	49743
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649750194832814860 01/04/24-15:15:56.542416
SID:	2814860
Source Port:	49750
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849742194832814860 01/04/24-15:14:08.608083
SID:	2814860
Source Port:	49742
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849741194832814860 01/04/24-15:13:48.970310
SID:	2814860
Source Port:	49741
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849742194832033132 01/04/24-15:14:02.836622
SID:	2033132
Source Port:	49742
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349747194832814856 01/04/24-15:14:58.014827
SID:	2814856
Source Port:	49747
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.418.192.93.8649750194832814856 01/04/24-15:15:40.033269
SID:	2814856
Source Port:	49750
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349748194832814856 01/04/24-15:15:05.487001
SID:	2814856
Source Port:	49748
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349749194832814856 01/04/24-15:15:20.162099
SID:	2814856
Source Port:	49749
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749729194832825563 01/04/24-15:12:05.296602
SID:	2825563
Source Port:	49729
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749729194832825564 01/04/24-15:12:35.839196
SID:	2825564
Source Port:	49729
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349746194832033132 01/04/24-15:14:49.647228
SID:	2033132
Source Port:	49746
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349747194832033132 01/04/24-15:14:57.836648
SID:	2033132
Source Port:	49747
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349747194832814860 01/04/24-15:15:03.046282
SID:	2814860
Source Port:	49747
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349748194832033132 01/04/24-15:15:05.306480
SID:	2033132
Source Port:	49748
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849738194832814860 01/04/24-15:13:26.160390
SID:	2814860
Source Port:	49738
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849739194832814860 01/04/24-15:13:38.932867
SID:	2814860
Source Port:	49739
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349748194832814860 01/04/24-15:15:17.718665
SID:	2814860
Source Port:	49748
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349749194832814860 01/04/24-15:15:37.312025
SID:	2814860
Source Port:	49749
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849739194832033132 01/04/24-15:13:28.398406
SID:	2033132
Source Port:	49739
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349749194832033132 01/04/24-15:15:19.981780
SID:	2033132
Source Port:	49749
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849738194832825564 01/04/24-15:13:15.960330
SID:	2825564
Source Port:	49738
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849738194832033132 01/04/24-15:13:13.976690
SID:	2033132
Source Port:	49738
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749736194832825564 01/04/24-15:13:07.761035
SID:	2825564
Source Port:	49736
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349748194832825564 01/04/24-15:15:17.718665
SID:	2825564
Source Port:	49748
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349746194832814860 01/04/24-15:14:55.647132
SID:	2814860
Source Port:	49746
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749729194832814856 01/04/24-15:12:05.296602
SID:	2814856
Source Port:	49729
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749736194832825563 01/04/24-15:12:39.448191
SID:	2825563
Source Port:	49736
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849739194832825564 01/04/24-15:13:34.111420
SID:	2825564
Source Port:	49739
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349744194832814860 01/04/24-15:14:36.089719
SID:	2814860
Source Port:	49744
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349745194832814860 01/04/24-15:14:44.795619
SID:	2814860
Source Port:	49745
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349749194832825564 01/04/24-15:15:37.312025
SID:	2825564
Source Port:	49749
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349745194832033132 01/04/24-15:14:43.446368
SID:	2033132
Source Port:	49745
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349744194832825564 01/04/24-15:14:36.089719
SID:	2825564
Source Port:	49744
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349744194832033132 01/04/24-15:14:27.670241
SID:	2033132
Source Port:	49744
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349744194832825563 01/04/24-15:14:27.850612
SID:	2825563
Source Port:	49744
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349746194832825564 01/04/24-15:14:53.506462
SID:	2825564
Source Port:	49746
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349747194832825564 01/04/24-15:15:01.621207
SID:	2825564
Source Port:	49747
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349746194832825563 01/04/24-15:14:49.825260
SID:	2825563
Source Port:	49746
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349745194832825564 01/04/24-15:14:44.795619
SID:	2825564
Source Port:	49745
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349745194832825563 01/04/24-15:14:43.626690
SID:	2825563
Source Port:	49745
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349746194832814856 01/04/24-15:14:49.825260
SID:	2814856
Source Port:	49746
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849742194832814856 01/04/24-15:14:03.015666
SID:	2814856
Source Port:	49742
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849743194832814856 01/04/24-15:14:11.673311
SID:	2814856
Source Port:	49743
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749729194832814860 01/04/24-15:12:35.839196
SID:	2814860
Source Port:	49729
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349744194832814856 01/04/24-15:14:27.850612
SID:	2814856
Source Port:	49744
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849741194832814856 01/04/24-15:13:48.425581
SID:	2814856
Source Port:	49741
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 18.157.68.73

Timestamp:	192.168.2.418.157.68.7349745194832814856 01/04/24-15:14:43.626690
SID:	2814856
Source Port:	49745
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749729194832033132 01/04/24-15:12:05.116234
SID:	2033132
Source Port:	49729
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749736194832033132 01/04/24-15:12:39.268705
SID:	2033132
Source Port:	49736
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.43.127.138.5749736194832814860 01/04/24-15:13:11.667134
SID:	2814860
Source Port:	49736
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.126.37.18

Timestamp:	192.168.2.43.126.37.1849740194832814856 01/04/24-15:13:41.129967
SID:	2814856
Source Port:	49740
Destination Port:	19483
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: b8UsrDOVGV.exe

Avira: detected

Antivirus detection for URL or domain

Source: 2.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "2.tcp.eu.ngrok.io", "Port": "19483", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "Svchost.exe", "Install Dir": "AppData"}

Multi AV Scanner detection for domain / URL

Source: 2.tcp.eu.ngrok.io	Virustotal: Detection: 12%			Perma Link
Source: 2.tcp.eu.ngrok.io	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	Virustotal: Detection: 88%	Perma Link
Source: C:\Users\user\AppData\Roaming\Svchost.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Virustotal: Detection: 88%	Perma Link

Multi AV Scanner detection for submitted file

Source: b8UsrDOVGV.exe	ReversingLabs: Detection: 94%
Source: b8UsrDOVGV.exe	Virustotal: Detection: 88%			Perma Link

Yara detected Njrat

Source: Yara match	File source: b8UsrDOVGV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b8UsrDOVGV.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Svchost.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: b8UsrDOVGV.exe

Joe Sandbox ML: detected

Source: b8UsrDOVGV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: b8UsrDOVGV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: b8UsrDOVGV.exe, 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: b8UsrDOVGV.exe, 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: b8UsrDOVGV.exe, 00000000.00000002.1685746025.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: b8UsrDOVGV.exe, 00000000.00000002.1685746025.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Svchost.exe, 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Svchost.exe, 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: b8UsrDOVGV.exe	Binary or memory string: autorun.inf
Source: b8UsrDOVGV.exe	Binary or memory string: [autorun]
Source: Svchost.exe.0.dr	Binary or memory string: autorun.inf
Source: Svchost.exe.0.dr	Binary or memory string: [autorun]
Source: 68d7771434a71722449c404baa3e5b31.exe.1.dr	Binary or memory string: autorun.inf
Source: 68d7771434a71722449c404baa3e5b31.exe.1.dr	Binary or memory string: [autorun]

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49729 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49729 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49729 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49729 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49729 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49736 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49736 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49736 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49736 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49736 -> 3.127.138.57:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49738 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49738 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49739 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49739 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49739 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49739 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49740 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49740 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49741 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49741 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49742 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49742 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49742 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49742 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49742 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49743 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49743 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49743 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 3.126.37.18:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49744 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49744 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49745 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49745 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49746 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49746 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49746 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49746 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49746 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49747 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49747 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49747 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49748 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49748 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49749 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49749 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 18.157.68.73:19483
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 18.192.93.86:19483
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49750 -> 18.192.93.86:19483
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49750 -> 18.192.93.86:19483
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49750 -> 18.192.93.86:19483

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Network Connect: 3.127.138.57 19483			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Network Connect: 3.126.37.18 19483			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2.tcp.eu.ngrok.io

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 3.127.138.57 ports 19483,1,3,4,8,9
Source: global traffic	TCP traffic: 18.192.93.86 ports 19483,1,3,4,8,9
Source: global traffic	TCP traffic: 3.126.37.18 ports 19483,1,3,4,8,9
Source: global traffic	TCP traffic: 18.157.68.73 ports 19483,1,3,4,8,9

Source: global traffic	TCP traffic: 192.168.2.4:49729 -> 3.127.138.57:19483
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 3.126.37.18:19483
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 18.157.68.73:19483
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 18.192.93.86:19483

Source: Joe Sandbox View	IP Address: 3.127.138.57 3.127.138.57
Source: Joe Sandbox View	IP Address: 3.126.37.18 3.126.37.18
Source: Joe Sandbox View	IP Address: 18.192.93.86 18.192.93.86

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 2.tcp.eu.ngrok.io

Source: Svchost.exe, 00000001.00000002.4075353687.000000000086C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: Svchost.exe, 00000001.00000002.4075353687.000000000086C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: b8UsrDOVGV.exe, Svchost.exe.0.dr, 68d7771434a71722449c404baa3e5b31.exe.1.dr	String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: b8UsrDOVGV.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: Svchost.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 68d7771434a71722449c404baa3e5b31.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: b8UsrDOVGV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b8UsrDOVGV.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Svchost.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: b8UsrDOVGV.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: b8UsrDOVGV.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: b8UsrDOVGV.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Code function: 1_2_027BB836 NtQuerySystemInformation,		1_2_027BB836
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Code function: 1_2_027BB7FB NtQuerySystemInformation,		1_2_027BB7FB

Source: b8UsrDOVGV.exe, 00000000.00000002.1685380219.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs b8UsrDOVGV.exe

Source: b8UsrDOVGV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: b8UsrDOVGV.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: b8UsrDOVGV.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: b8UsrDOVGV.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@9/7@4/4

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Code function: 1_2_027BB5F6 AdjustTokenPrivileges,		1_2_027BB5F6
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Code function: 1_2_027BB5BF AdjustTokenPrivileges,		1_2_027BB5BF

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

File created: C:\Users\user\AppData\Roaming\Svchost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\68d7771434a71722449c404baa3e5b31

Source: b8UsrDOVGV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: b8UsrDOVGV.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: b8UsrDOVGV.exe	ReversingLabs: Detection: 94%
Source: b8UsrDOVGV.exe	Virustotal: Detection: 88%

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

File read: C:\Users\user\Desktop\b8UsrDOVGV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\b8UsrDOVGV.exe C:\Users\user\Desktop\b8UsrDOVGV.exe
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process created: C:\Users\user\AppData\Roaming\Svchost.exe "C:\Users\user\AppData\Roaming\Svchost.exe"
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Svchost.exe" "Svchost.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Svchost.exe "C:\Users\user\AppData\Roaming\Svchost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Svchost.exe "C:\Users\user\AppData\Roaming\Svchost.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Svchost.exe "C:\Users\user\AppData\Roaming\Svchost.exe" ..
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process created: C:\Users\user\AppData\Roaming\Svchost.exe "C:\Users\user\AppData\Roaming\Svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Svchost.exe" "Svchost.exe" ENABLE	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: b8UsrDOVGV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: b8UsrDOVGV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: b8UsrDOVGV.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Svchost.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 68d7771434a71722449c404baa3e5b31.exe.1.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

File created: C:\Users\user\AppData\Roaming\Svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	File created: C:\Users\user\AppData\Roaming\Svchost.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31

Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\Svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31	Jump to behavior

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Window / User API: threadDelayed 3211	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Window / User API: threadDelayed 4631	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Window / User API: foregroundWindowGot 432	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Window / User API: foregroundWindowGot 1272	Jump to behavior

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 4480	Thread sleep count: 593 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 4480	Thread sleep time: -593000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 5316	Thread sleep count: 3211 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 4480	Thread sleep count: 4631 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 4480	Thread sleep time: -4631000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 6504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Svchost.exe, 00000001.00000002.4075353687.000000000086C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1751114243.0000000000821000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Network Connect: 3.127.138.57 19483			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Network Connect: 3.126.37.18 19483			Jump to behavior

.NET source code references suspicious native API functions

Source: b8UsrDOVGV.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: b8UsrDOVGV.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: b8UsrDOVGV.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\b8UsrDOVGV.exe

Process created: C:\Users\user\AppData\Roaming\Svchost.exe "C:\Users\user\AppData\Roaming\Svchost.exe"

Jump to behavior

Source: Svchost.exe, 00000001.00000002.4076153599.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, Svchost.exe, 00000001.00000002.4076153599.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, Svchost.exe, 00000001.00000002.4076153599.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Svchost.exe, 00000001.00000002.4075353687.000000000086C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rh Program Manager
Source: Svchost.exe, 00000001.00000002.4076153599.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, Svchost.exe, 00000001.00000002.4076153599.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, Svchost.exe, 00000001.00000002.4076153599.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.
Source: Svchost.exe, 00000001.00000002.4076153599.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, Svchost.exe, 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: Svchost.exe, 00000001.00000002.4076153599.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, Svchost.exe, 00000001.00000002.4076153599.000000000332F000.00000004.00000800.00020000.00000000.sdmp, Svchost.exe, 00000001.00000002.4076153599.0000000003074000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\AppData\Roaming\Svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Svchost.exe" "Svchost.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Roaming\Svchost.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Svchost.exe" "Svchost.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: b8UsrDOVGV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b8UsrDOVGV.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Svchost.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: b8UsrDOVGV.exe, type: SAMPLE
Source: Yara match	File source: 0.0.b8UsrDOVGV.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b8UsrDOVGV.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Svchost.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	1 Native API	221 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	1 Input Capture	11 Security Software Discovery	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	112 Process Injection	21 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	221 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	112 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b8UsrDOVGV.exe	94%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
b8UsrDOVGV.exe	100%	Avira	TR/ATRAPS.Gen
b8UsrDOVGV.exe	100%	Joe Sandbox ML
b8UsrDOVGV.exe	88%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Svchost.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\Svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	94%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe	88%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Svchost.exe	94%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
C:\Users\user\AppData\Roaming\Svchost.exe	88%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://go.microsoft.LinkId=42127	0%	Avira URL Cloud	safe
2.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware
http://go.microsoft.	0%	Avira URL Cloud	safe
http://go.microsoft.	0%	Virustotal		Browse
2.tcp.eu.ngrok.io	12%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	3.127.138.57	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	Svchost.exe, 00000001.00000002.4075353687.000000000086C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	b8UsrDOVGV.exe, Svchost.exe.0.dr, 68d7771434a71722449c404baa3e5b31.exe.1.dr	false		high
http://go.microsoft.LinkId=42127	Svchost.exe, 00000001.00000002.4075353687.000000000086C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.127.138.57	2.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
3.126.37.18	unknown	United States	16509	AMAZON-02US	true
18.192.93.86	unknown	United States	16509	AMAZON-02US	true
18.157.68.73	unknown	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1369814
Start date and time:	2024-01-04 15:11:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b8UsrDOVGV.exe renamed because original name is a hash value
Original Sample Name:	b7dd9dd7470af783d5d955b455d58cac.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@9/7@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 165 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:12:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31 "C:\Users\user\AppData\Roaming\Svchost.exe" ..
14:12:13	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31 "C:\Users\user\AppData\Roaming\Svchost.exe" ..
14:12:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 68d7771434a71722449c404baa3e5b31 "C:\Users\user\AppData\Roaming\Svchost.exe" ..
14:12:31	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe
15:12:34	API Interceptor	189963x Sleep call for process: Svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.127.138.57	2G8CgDVl3K.exe	Get hash	malicious	Njrat	Browse
	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse
	QUuUm3J8x3.exe	Get hash	malicious	Njrat	Browse
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse
	7JdbeSrZ6s.exe	Get hash	malicious	Njrat	Browse
	KcWQQO3nZP.exe	Get hash	malicious	Njrat	Browse
	zep8vTa4sg.exe	Get hash	malicious	Njrat	Browse
	umyExrpkSF.exe	Get hash	malicious	Njrat	Browse
	QBEgLAO40T.exe	Get hash	malicious	Njrat	Browse
	4KWKhZNy9w.exe	Get hash	malicious	Njrat	Browse
	yPGBUzqVE3.exe	Get hash	malicious	Njrat	Browse
	D02E3399D85D6B14B30F440181EF5B8FE6B55C403B8C7.exe	Get hash	malicious	njRat	Browse
	2dZGR4PTLu.exe	Get hash	malicious	Njrat	Browse
	LMva1J8Xkv.exe	Get hash	malicious	Njrat	Browse
	XlNjZS4E8x.exe	Get hash	malicious	Njrat	Browse
3.126.37.18	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse
	pQBmVoyRnw.exe	Get hash	malicious	Njrat	Browse
	NezbdhNgwG.exe	Get hash	malicious	Njrat	Browse
	xdPdkPMD8u.exe	Get hash	malicious	Njrat	Browse
	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse
	gEuhLHV0.posh.ps1	Get hash	malicious	Metasploit	Browse
	MibKbjH4.posh.ps1	Get hash	malicious	Unknown	Browse
	kXghM8bJcm.exe	Get hash	malicious	Njrat	Browse
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse
	p0zYXkMETE.exe	Get hash	malicious	Njrat	Browse
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse
	7XyFhq6BDj.exe	Get hash	malicious	Njrat	Browse
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse
	cTUu5Po5Hy.exe	Get hash	malicious	Njrat	Browse
	KcWQQO3nZP.exe	Get hash	malicious	Njrat	Browse
	zep8vTa4sg.exe	Get hash	malicious	Njrat	Browse
	u1LwUkKDIF.exe	Get hash	malicious	Njrat	Browse
	QBEgLAO40T.exe	Get hash	malicious	Njrat	Browse
18.192.93.86	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.192.93.86	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	2G8CgDVl3K.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	BHp5Is5Xe7.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	QUuUm3J8x3.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	81Rz15POL6.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	649DB66A36E095B16832637A31D3CCC75040C5A6C23F6.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	pQBmVoyRnw.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	EB4B6878310B1E2843C964E02EC1782AACB518E32777A.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	NezbdhNgwG.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	xdPdkPMD8u.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	1UGdjTlX5v.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	kXghM8bJcm.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	QzzmZiGinp.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	p0zYXkMETE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	aF73k2XwGj.exe	Get hash	malicious	Njrat	Browse	18.192.93.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://trustwallet-com-crypto-wallet-case479958.ihrebildsache.de	Get hash	malicious	Phisher	Browse	52.9.109.18
	http://kineticwing.com/	Get hash	malicious	Unknown	Browse	99.84.191.77
	https://southportland.org/	Get hash	malicious	Unknown	Browse	52.85.132.116
	28UlG1fA5p.elf	Get hash	malicious	Mirai	Browse	52.53.164.79
	RTxhQMyj5e.elf	Get hash	malicious	Mirai	Browse	35.176.86.232
	i4ykIbKq4o.elf	Get hash	malicious	Mirai	Browse	34.243.160.129
	SecuriteInfo.com.Linux.Siggen.9999.13374.4326.elf	Get hash	malicious	Mirai	Browse	63.34.86.27
	SecuriteInfo.com.Linux.Siggen.9999.15798.13010.elf	Get hash	malicious	Mirai	Browse	108.143.162.137
	SecuriteInfo.com.Linux.Siggen.9999.3670.17870.elf	Get hash	malicious	Mirai	Browse	13.245.148.174
	DRcqrj4ODx.elf	Get hash	malicious	Mirai	Browse	44.224.37.47
	sora.x86.elf	Get hash	malicious	Mirai	Browse	18.139.80.246
	https://visit.trendmicro.com/OTQ1LUNYRC0wNjIAAAGQcpE819P35oo_d8Na5sCdj8SAIQiHwPzmvlK-8uQUTtJKerOjWaY_pmXItmUGTjv7M9HV3e4=	Get hash	malicious	Unknown	Browse	108.139.29.80
	Rakitin.x86.elf	Get hash	malicious	Mirai	Browse	108.150.4.169
	Rakitin.arm5.elf	Get hash	malicious	Mirai	Browse	108.131.163.62
	MDE_File_Sample_87ad0936c403d0ddfbceff0fa4e6c681c37cf072.zip	Get hash	malicious	Unknown	Browse	34.209.123.191
	SecuriteInfo.com.Trojan.Linux.Gafgyt.16218.4940.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	http://xei.aloviec.com/?dD1jJmQ9MjIwMzcmbD01NTMxJmM9MTg1NTUyJmF1PTA=	Get hash	malicious	Phisher	Browse	52.85.150.29
	ZC0CVbfY1v.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	52.217.88.132
	6TBdUvQH7L.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	52.216.92.203
	L5KPHu6Vfn.exe	Get hash	malicious	LummaC, Petite Virus, Quasar, RedLine, SmokeLoader, Stealc, Vidar	Browse	104.192.141.1
AMAZON-02US	https://trustwallet-com-crypto-wallet-case479958.ihrebildsache.de	Get hash	malicious	Phisher	Browse	52.9.109.18
	http://kineticwing.com/	Get hash	malicious	Unknown	Browse	99.84.191.77
	https://southportland.org/	Get hash	malicious	Unknown	Browse	52.85.132.116
	28UlG1fA5p.elf	Get hash	malicious	Mirai	Browse	52.53.164.79
	RTxhQMyj5e.elf	Get hash	malicious	Mirai	Browse	35.176.86.232
	i4ykIbKq4o.elf	Get hash	malicious	Mirai	Browse	34.243.160.129
	SecuriteInfo.com.Linux.Siggen.9999.13374.4326.elf	Get hash	malicious	Mirai	Browse	63.34.86.27
	SecuriteInfo.com.Linux.Siggen.9999.15798.13010.elf	Get hash	malicious	Mirai	Browse	108.143.162.137
	SecuriteInfo.com.Linux.Siggen.9999.3670.17870.elf	Get hash	malicious	Mirai	Browse	13.245.148.174
	DRcqrj4ODx.elf	Get hash	malicious	Mirai	Browse	44.224.37.47
	sora.x86.elf	Get hash	malicious	Mirai	Browse	18.139.80.246
	https://visit.trendmicro.com/OTQ1LUNYRC0wNjIAAAGQcpE819P35oo_d8Na5sCdj8SAIQiHwPzmvlK-8uQUTtJKerOjWaY_pmXItmUGTjv7M9HV3e4=	Get hash	malicious	Unknown	Browse	108.139.29.80
	Rakitin.x86.elf	Get hash	malicious	Mirai	Browse	108.150.4.169
	Rakitin.arm5.elf	Get hash	malicious	Mirai	Browse	108.131.163.62
	MDE_File_Sample_87ad0936c403d0ddfbceff0fa4e6c681c37cf072.zip	Get hash	malicious	Unknown	Browse	34.209.123.191
	SecuriteInfo.com.Trojan.Linux.Gafgyt.16218.4940.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	http://xei.aloviec.com/?dD1jJmQ9MjIwMzcmbD01NTMxJmM9MTg1NTUyJmF1PTA=	Get hash	malicious	Phisher	Browse	52.85.150.29
	ZC0CVbfY1v.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	52.217.88.132
	6TBdUvQH7L.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	52.216.92.203
	L5KPHu6Vfn.exe	Get hash	malicious	LummaC, Petite Virus, Quasar, RedLine, SmokeLoader, Stealc, Vidar	Browse	104.192.141.1
AMAZON-02US	https://trustwallet-com-crypto-wallet-case479958.ihrebildsache.de	Get hash	malicious	Phisher	Browse	52.9.109.18
	http://kineticwing.com/	Get hash	malicious	Unknown	Browse	99.84.191.77
	https://southportland.org/	Get hash	malicious	Unknown	Browse	52.85.132.116
	28UlG1fA5p.elf	Get hash	malicious	Mirai	Browse	52.53.164.79
	RTxhQMyj5e.elf	Get hash	malicious	Mirai	Browse	35.176.86.232
	i4ykIbKq4o.elf	Get hash	malicious	Mirai	Browse	34.243.160.129
	SecuriteInfo.com.Linux.Siggen.9999.13374.4326.elf	Get hash	malicious	Mirai	Browse	63.34.86.27
	SecuriteInfo.com.Linux.Siggen.9999.15798.13010.elf	Get hash	malicious	Mirai	Browse	108.143.162.137
	SecuriteInfo.com.Linux.Siggen.9999.3670.17870.elf	Get hash	malicious	Mirai	Browse	13.245.148.174
	DRcqrj4ODx.elf	Get hash	malicious	Mirai	Browse	44.224.37.47
	sora.x86.elf	Get hash	malicious	Mirai	Browse	18.139.80.246
	https://visit.trendmicro.com/OTQ1LUNYRC0wNjIAAAGQcpE819P35oo_d8Na5sCdj8SAIQiHwPzmvlK-8uQUTtJKerOjWaY_pmXItmUGTjv7M9HV3e4=	Get hash	malicious	Unknown	Browse	108.139.29.80
	Rakitin.x86.elf	Get hash	malicious	Mirai	Browse	108.150.4.169
	Rakitin.arm5.elf	Get hash	malicious	Mirai	Browse	108.131.163.62
	MDE_File_Sample_87ad0936c403d0ddfbceff0fa4e6c681c37cf072.zip	Get hash	malicious	Unknown	Browse	34.209.123.191
	SecuriteInfo.com.Trojan.Linux.Gafgyt.16218.4940.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	http://xei.aloviec.com/?dD1jJmQ9MjIwMzcmbD01NTMxJmM9MTg1NTUyJmF1PTA=	Get hash	malicious	Phisher	Browse	52.85.150.29
	ZC0CVbfY1v.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	52.217.88.132
	6TBdUvQH7L.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc	Browse	52.216.92.203
	L5KPHu6Vfn.exe	Get hash	malicious	LummaC, Petite Virus, Quasar, RedLine, SmokeLoader, Stealc, Vidar	Browse	104.192.141.1

Process:	C:\Users\user\AppData\Roaming\Svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b8UsrDOVGV.exe.log

Download File

Process:	C:\Users\user\Desktop\b8UsrDOVGV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.57438645066409
Encrypted:	false
SSDEEP:	384:zLe2KMizd9jnBhFbJ8ycPVnvvnwaUBTrAF+rMRTyN/0L+EcoinblneHQM3epzXQD:W2g9lLJfcPVn3VU9rM+rMRa8Nu2Bt
MD5:	B7DD9DD7470AF783D5D955B455D58CAC
SHA1:	BBD0C1D74C948E95F5F007102FBABCF3867A2625
SHA-256:	8D1BFBE0D300231CF7892A9BE51258A77F52A85EAC045CB42A64B357702C0C5F
SHA-512:	AF2CEC43EA98A7E2C139C1433C4DBCF35DDEBC3F70AA8520F64C7096A6F6844F8021CBD22FA4BF46AE4961BE1972CA45407B15C1596770FAD5CB41C5860FB512
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 94% Antivirus: Virustotal, Detection: 88%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.e................................ ........@.. ....................................@.................................t...W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe:Zone.Identifier

Download File

Process:	C:\Users\user\AppData\Roaming\Svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Svchost.exe

Download File

Process:	C:\Users\user\Desktop\b8UsrDOVGV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.57438645066409
Encrypted:	false
SSDEEP:	384:zLe2KMizd9jnBhFbJ8ycPVnvvnwaUBTrAF+rMRTyN/0L+EcoinblneHQM3epzXQD:W2g9lLJfcPVn3VU9rM+rMRa8Nu2Bt
MD5:	B7DD9DD7470AF783D5D955B455D58CAC
SHA1:	BBD0C1D74C948E95F5F007102FBABCF3867A2625
SHA-256:	8D1BFBE0D300231CF7892A9BE51258A77F52A85EAC045CB42A64B357702C0C5F
SHA-512:	AF2CEC43EA98A7E2C139C1433C4DBCF35DDEBC3F70AA8520F64C7096A6F6844F8021CBD22FA4BF46AE4961BE1972CA45407B15C1596770FAD5CB41C5860FB512
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 94% Antivirus: Virustotal, Detection: 88%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.e................................ ........@.. ....................................@.................................t...W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Svchost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\b8UsrDOVGV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.57438645066409
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	b8UsrDOVGV.exe
File size:	37'888 bytes
MD5:	b7dd9dd7470af783d5d955b455d58cac
SHA1:	bbd0c1d74c948e95f5f007102fbabcf3867a2625
SHA256:	8d1bfbe0d300231cf7892a9be51258a77f52a85eac045cb42a64b357702c0c5f
SHA512:	af2cec43ea98a7e2c139c1433c4dbcf35ddebc3f70aa8520f64c7096a6f6844f8021cbd22fa4bf46ae4961be1972ca45407b15c1596770fad5cb41c5860fb512
SSDEEP:	384:zLe2KMizd9jnBhFbJ8ycPVnvvnwaUBTrAF+rMRTyN/0L+EcoinblneHQM3epzXQD:W2g9lLJfcPVn3VU9rM+rMRa8Nu2Bt
TLSH:	B2032B8D7FE18168C5FD057B06B2D41207BAE04F6E23D91E8EF5649A37635C18B50AF2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..e................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40abce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6592DF48 [Mon Jan 1 15:50:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab74	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bd4	0x8c00	False	0.4636997767857143	data	5.606037807876678	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x240	0x400	False	0.3134765625	data	4.968771659524424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.43.126.37.1849740194832814860 01/04/24-15:13:45.957337	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49740	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849743194832825563 01/04/24-15:14:11.673311	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49743	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849742194832825564 01/04/24-15:14:08.608083	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49742	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849742194832825563 01/04/24-15:14:03.015666	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49742	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849741194832033132 01/04/24-15:13:48.244663	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49741	19483	192.168.2.4	3.126.37.18
192.168.2.43.127.138.5749736194832814856 01/04/24-15:12:39.448191	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49736	19483	192.168.2.4	3.127.138.57
192.168.2.43.126.37.1849738194832814856 01/04/24-15:13:14.155298	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49738	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849743194832033132 01/04/24-15:14:11.494212	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49743	19483	192.168.2.4	3.126.37.18
192.168.2.418.192.93.8649750194832033132 01/04/24-15:15:39.855430	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49750	19483	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849739194832814856 01/04/24-15:13:28.577588	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49739	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849740194832033132 01/04/24-15:13:40.950373	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49740	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849743194832825564 01/04/24-15:14:16.730036	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49743	19483	192.168.2.4	3.126.37.18
192.168.2.418.192.93.8649750194832825564 01/04/24-15:15:56.542416	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49750	19483	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849743194832814860 01/04/24-15:14:16.730036	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49743	19483	192.168.2.4	3.126.37.18
192.168.2.418.192.93.8649750194832814860 01/04/24-15:15:56.542416	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49750	19483	192.168.2.4	18.192.93.86
192.168.2.43.126.37.1849742194832814860 01/04/24-15:14:08.608083	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49742	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849741194832814860 01/04/24-15:13:48.970310	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49741	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849742194832033132 01/04/24-15:14:02.836622	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49742	19483	192.168.2.4	3.126.37.18
192.168.2.418.157.68.7349747194832814856 01/04/24-15:14:58.014827	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49747	19483	192.168.2.4	18.157.68.73
192.168.2.418.192.93.8649750194832814856 01/04/24-15:15:40.033269	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49750	19483	192.168.2.4	18.192.93.86
192.168.2.418.157.68.7349748194832814856 01/04/24-15:15:05.487001	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49748	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349749194832814856 01/04/24-15:15:20.162099	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49749	19483	192.168.2.4	18.157.68.73
192.168.2.43.127.138.5749729194832825563 01/04/24-15:12:05.296602	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49729	19483	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749729194832825564 01/04/24-15:12:35.839196	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49729	19483	192.168.2.4	3.127.138.57
192.168.2.418.157.68.7349746194832033132 01/04/24-15:14:49.647228	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49746	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349747194832033132 01/04/24-15:14:57.836648	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49747	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349747194832814860 01/04/24-15:15:03.046282	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49747	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349748194832033132 01/04/24-15:15:05.306480	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49748	19483	192.168.2.4	18.157.68.73
192.168.2.43.126.37.1849738194832814860 01/04/24-15:13:26.160390	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49738	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849739194832814860 01/04/24-15:13:38.932867	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49739	19483	192.168.2.4	3.126.37.18
192.168.2.418.157.68.7349748194832814860 01/04/24-15:15:17.718665	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49748	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349749194832814860 01/04/24-15:15:37.312025	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49749	19483	192.168.2.4	18.157.68.73
192.168.2.43.126.37.1849739194832033132 01/04/24-15:13:28.398406	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49739	19483	192.168.2.4	3.126.37.18
192.168.2.418.157.68.7349749194832033132 01/04/24-15:15:19.981780	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49749	19483	192.168.2.4	18.157.68.73
192.168.2.43.126.37.1849738194832825564 01/04/24-15:13:15.960330	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49738	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849738194832033132 01/04/24-15:13:13.976690	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49738	19483	192.168.2.4	3.126.37.18
192.168.2.43.127.138.5749736194832825564 01/04/24-15:13:07.761035	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49736	19483	192.168.2.4	3.127.138.57
192.168.2.418.157.68.7349748194832825564 01/04/24-15:15:17.718665	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49748	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349746194832814860 01/04/24-15:14:55.647132	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49746	19483	192.168.2.4	18.157.68.73
192.168.2.43.127.138.5749729194832814856 01/04/24-15:12:05.296602	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49729	19483	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749736194832825563 01/04/24-15:12:39.448191	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49736	19483	192.168.2.4	3.127.138.57
192.168.2.43.126.37.1849739194832825564 01/04/24-15:13:34.111420	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49739	19483	192.168.2.4	3.126.37.18
192.168.2.418.157.68.7349744194832814860 01/04/24-15:14:36.089719	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49744	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349745194832814860 01/04/24-15:14:44.795619	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49745	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349749194832825564 01/04/24-15:15:37.312025	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49749	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349745194832033132 01/04/24-15:14:43.446368	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49745	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349744194832825564 01/04/24-15:14:36.089719	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49744	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349744194832033132 01/04/24-15:14:27.670241	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49744	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349744194832825563 01/04/24-15:14:27.850612	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49744	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349746194832825564 01/04/24-15:14:53.506462	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49746	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349747194832825564 01/04/24-15:15:01.621207	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49747	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349746194832825563 01/04/24-15:14:49.825260	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49746	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349745194832825564 01/04/24-15:14:44.795619	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49745	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349745194832825563 01/04/24-15:14:43.626690	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49745	19483	192.168.2.4	18.157.68.73
192.168.2.418.157.68.7349746194832814856 01/04/24-15:14:49.825260	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49746	19483	192.168.2.4	18.157.68.73
192.168.2.43.126.37.1849742194832814856 01/04/24-15:14:03.015666	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49742	19483	192.168.2.4	3.126.37.18
192.168.2.43.126.37.1849743194832814856 01/04/24-15:14:11.673311	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49743	19483	192.168.2.4	3.126.37.18
192.168.2.43.127.138.5749729194832814860 01/04/24-15:12:35.839196	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49729	19483	192.168.2.4	3.127.138.57
192.168.2.418.157.68.7349744194832814856 01/04/24-15:14:27.850612	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49744	19483	192.168.2.4	18.157.68.73
192.168.2.43.126.37.1849741194832814856 01/04/24-15:13:48.425581	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49741	19483	192.168.2.4	3.126.37.18
192.168.2.418.157.68.7349745194832814856 01/04/24-15:14:43.626690	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49745	19483	192.168.2.4	18.157.68.73
192.168.2.43.127.138.5749729194832033132 01/04/24-15:12:05.116234	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49729	19483	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749736194832033132 01/04/24-15:12:39.268705	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49736	19483	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749736194832814860 01/04/24-15:13:11.667134	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49736	19483	192.168.2.4	3.127.138.57
192.168.2.43.126.37.1849740194832814856 01/04/24-15:13:41.129967	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49740	19483	192.168.2.4	3.126.37.18

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2024 15:12:04.655698061 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:04.836328030 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:04.836522102 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:05.116234064 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:05.296421051 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:05.296602011 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:05.476875067 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:10.792552948 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:10.972716093 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:26.066811085 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:26.066890955 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:27.698949099 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:27.879112005 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:35.839195967 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:36.019442081 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:37.070280075 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:37.070507050 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:39.074888945 CET	49729	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:39.084208012 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:39.255178928 CET	19483	49729	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:39.263700008 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:39.263780117 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:39.268704891 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:39.448065042 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:39.448190928 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:39.627549887 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:43.417296886 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:12:43.596801043 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:58.834974051 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:12:58.835038900 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:03.699297905 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:03.878762007 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:04.370604992 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:04.550101995 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:06.636231899 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:06.815854073 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:06.815929890 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:06.995367050 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:07.761034966 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:07.940361023 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:07.940421104 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:08.119920015 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:08.119999886 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:08.299515009 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:08.299596071 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:08.479166031 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:08.479258060 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:08.658822060 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:08.658900976 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:08.838974953 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:08.839034081 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:09.018527985 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:09.018613100 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:09.198095083 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:09.198175907 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:09.377746105 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:09.377821922 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:09.557308912 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:09.557389021 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:09.736896992 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:09.736984968 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:09.916450977 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:09.916538954 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:10.096024036 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:10.096122980 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:10.275501966 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:10.275599957 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:10.455096006 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:10.455190897 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:10.634596109 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:10.634701014 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:10.814424038 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:10.814521074 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:10.994119883 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:10.994335890 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:11.173830986 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:11.173904896 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:11.353288889 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:11.353490114 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:11.510757923 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:11.510843992 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:11.532967091 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:11.667134047 CET	49736	19483	192.168.2.4	3.127.138.57
Jan 4, 2024 15:13:11.690402985 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:11.846621990 CET	19483	49736	3.127.138.57	192.168.2.4
Jan 4, 2024 15:13:13.636320114 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:13.814853907 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:13.814934015 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:13.976690054 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:14.155224085 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:14.155297995 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:14.333873034 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:14.334049940 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:14.512407064 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:14.512475014 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:14.690820932 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:15.960330009 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:16.138837099 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:16.138912916 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:16.317414045 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:16.317605972 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:16.496433020 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:16.496634007 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:16.675354004 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:16.675524950 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:16.854057074 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:16.854258060 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:17.032748938 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:17.032812119 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:17.211419106 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:17.211474895 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:17.389938116 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:17.390216112 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:17.568624020 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:17.568703890 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:17.747215033 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:17.747277021 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:17.925693035 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:17.925748110 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:18.104732990 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:18.104809999 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:18.283173084 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:18.283266068 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:18.461740971 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:18.461805105 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:18.640342951 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:18.644296885 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:18.823137999 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:18.823647976 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:19.002696991 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:19.002782106 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:19.182827950 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:19.182907104 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:19.361350060 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:19.361603975 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:19.539983034 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:19.540080070 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:19.718808889 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:19.718992949 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:19.897433043 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:19.897517920 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:20.075911999 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:20.076005936 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:20.255013943 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:20.255167007 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:20.433814049 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:20.436625004 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:20.616735935 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:20.620353937 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:20.799683094 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:20.800323963 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:20.979039907 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:20.979121923 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:21.157892942 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:21.158081055 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:21.336708069 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:21.336816072 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:21.515348911 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:21.515500069 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:21.694034100 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:21.694127083 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:21.872515917 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:21.872617960 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:22.051090956 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:22.051158905 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:22.229640961 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:22.229722977 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:22.408181906 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:22.408396006 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:22.587071896 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:22.587146044 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:22.765688896 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:22.765861034 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:22.944206953 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:22.944287062 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:23.122795105 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:23.122904062 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:23.301429987 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:23.301516056 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:23.479887009 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:23.480034113 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:23.658390045 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:23.658515930 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:23.837057114 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:23.837121010 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:24.015588999 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:24.015794039 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:24.194452047 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:24.194535971 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:24.373392105 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:24.373487949 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:24.551996946 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:24.552082062 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:24.730834007 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:24.731002092 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:24.909380913 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:24.909493923 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:25.087923050 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:25.088025093 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:25.267329931 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:25.267554998 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:25.446084976 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:25.446173906 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:25.624699116 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:25.624768019 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:25.803215027 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:25.803318024 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:25.981781960 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:25.981859922 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:26.160314083 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:26.160389900 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:26.209997892 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:26.210066080 CET	49738	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:26.338725090 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:26.388674974 CET	19483	49738	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:28.215912104 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:28.395119905 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:28.395229101 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:28.398406029 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:28.577526093 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:28.577588081 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:28.756623030 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:28.756731033 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:28.936002970 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:28.936086893 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:29.115735054 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:29.115809917 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:29.294698000 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:29.294780970 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:29.473892927 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:29.473973036 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:29.652920961 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:29.652995110 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:29.832227945 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:29.832326889 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:30.011141062 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:30.011214018 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:30.190100908 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:30.190191984 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:30.369179964 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:30.369254112 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:30.548338890 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:30.548429966 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:30.727495909 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:30.727582932 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:30.906481028 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:30.906543016 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:31.085503101 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:31.085573912 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:31.264663935 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:31.264710903 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:31.443730116 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:31.443933964 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:31.623123884 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:31.623188019 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:31.802237988 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:31.927297115 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:32.106291056 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:32.106357098 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:32.285427094 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:34.111419916 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:34.290631056 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:34.290862083 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:34.471729040 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:34.471956015 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:34.653143883 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:34.653199911 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:34.832360983 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:34.832441092 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:35.011526108 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:35.011698961 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:35.191557884 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:35.191617012 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:35.370682001 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:35.370764971 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:35.549714088 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:35.549799919 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:35.728701115 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:35.728806019 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:35.909012079 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:35.909142017 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:36.088074923 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:36.088152885 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:36.267081976 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:36.267204046 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:36.446242094 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:36.446388006 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:36.625453949 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:36.625530958 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:36.804702044 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:36.804795027 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:36.984349966 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:36.984412909 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:37.163809061 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:37.163918972 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:37.342799902 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:37.342890978 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:37.521962881 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:37.522030115 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:37.701149940 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:37.701251030 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:37.880125999 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:37.880242109 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:38.059245110 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:38.059422970 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:38.238185883 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:38.238295078 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:38.417177916 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:38.417356968 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:38.596777916 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:38.596879959 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:38.758188963 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:38.758266926 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:38.775731087 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:38.932867050 CET	49739	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:38.937151909 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:39.111741066 CET	19483	49739	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:40.765836954 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:40.945321083 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:40.945527077 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:40.950372934 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:41.129863977 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:41.129966974 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:41.308561087 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:41.308772087 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:41.487215996 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:41.487339020 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:41.665797949 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:41.665873051 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:41.844285965 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:41.844491005 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:42.022888899 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:42.023062944 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:42.201477051 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:42.201539040 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:42.379947901 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:42.380148888 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:42.558425903 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:42.558510065 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:42.736917019 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:42.736995935 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:42.915575027 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:42.915751934 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:43.094392061 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:43.094615936 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:43.273329020 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:43.273502111 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:43.451910973 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:43.451992989 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:43.630480051 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:43.630661964 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:43.809223890 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:43.809437990 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:43.987936974 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:43.987993956 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:44.166377068 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:44.166460991 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:44.345051050 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:44.345220089 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:44.523535013 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:44.523585081 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:44.703282118 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:44.703461885 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:44.883691072 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:44.883838892 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:45.062300920 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:45.062470913 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:45.243218899 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:45.243294001 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:45.421621084 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:45.421817064 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:45.600241899 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:45.600317001 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:45.778754950 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:45.778812885 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:45.957246065 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:45.957336903 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:46.042979002 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:46.043154955 CET	49740	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:46.135947943 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:46.222237110 CET	19483	49740	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:48.060381889 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:48.241303921 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:48.241411924 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:48.244663000 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:48.425498009 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:48.425580978 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:48.606621027 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:48.607002020 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:48.789000034 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:48.789094925 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:48.970108032 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:13:48.970309973 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:13:49.151211023 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:00.650839090 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:00.650927067 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:02.651771069 CET	49741	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:02.653748989 CET	49742	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:02.832829952 CET	19483	49741	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:02.833095074 CET	19483	49742	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:02.833240986 CET	49742	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:02.836622000 CET	49742	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:03.015557051 CET	19483	49742	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:03.015666008 CET	49742	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:03.194730997 CET	19483	49742	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:08.608083010 CET	49742	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:08.787487984 CET	19483	49742	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:09.278424978 CET	19483	49742	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:09.323416948 CET	49742	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:11.308028936 CET	49742	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:11.311871052 CET	49743	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:11.490890980 CET	19483	49743	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:11.491008997 CET	49743	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:11.494211912 CET	49743	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:11.673233032 CET	19483	49743	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:11.673310995 CET	49743	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:11.852289915 CET	19483	49743	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:16.730036020 CET	49743	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:16.909198999 CET	19483	49743	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:24.829392910 CET	19483	49743	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:24.829482079 CET	49743	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:26.839276075 CET	49743	19483	192.168.2.4	3.126.37.18
Jan 4, 2024 15:14:27.018479109 CET	19483	49743	3.126.37.18	192.168.2.4
Jan 4, 2024 15:14:27.486681938 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:27.667025089 CET	19483	49744	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:27.667109013 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:27.670241117 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:27.850552082 CET	19483	49744	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:27.850611925 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:28.030983925 CET	19483	49744	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:31.262778044 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:31.443135023 CET	19483	49744	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:36.089719057 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:36.270267963 CET	19483	49744	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:41.251365900 CET	19483	49744	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:41.251447916 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:43.261259079 CET	49744	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:43.262861967 CET	49745	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:43.441595078 CET	19483	49744	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:43.443222046 CET	19483	49745	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:43.443303108 CET	49745	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:43.446367979 CET	49745	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:43.626636982 CET	19483	49745	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:43.626689911 CET	49745	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:43.806988001 CET	19483	49745	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:44.795619011 CET	49745	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:44.977592945 CET	19483	49745	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:47.450025082 CET	19483	49745	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:47.450215101 CET	49745	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:49.464193106 CET	49745	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:49.465986967 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:49.644068956 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:49.644150972 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:49.644862890 CET	19483	49745	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:49.647228003 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:49.825095892 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:49.825259924 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:50.003328085 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:50.698890924 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:50.878791094 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:51.074096918 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:51.252176046 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:52.620608091 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:52.798881054 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:52.799067974 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:52.977145910 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:53.506462097 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:53.687127113 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:53.687206030 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:53.866189957 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:53.866274118 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:54.044272900 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:54.044442892 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:54.222264051 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:54.222322941 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:54.400183916 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:54.400361061 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:54.578382015 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:54.578567982 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:54.756606102 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:54.756783009 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:54.934835911 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:54.934968948 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:55.112871885 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:55.112937927 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:55.290770054 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:55.290878057 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:55.468839884 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:55.469052076 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:55.647052050 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:55.647131920 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:55.650983095 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:55.651057005 CET	49746	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:55.825217009 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:55.828906059 CET	19483	49746	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:57.654728889 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:57.832756996 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:57.832858086 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:57.836647987 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:58.014766932 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:58.014827013 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:58.192960978 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:58.193072081 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:58.371143103 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:58.371196032 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:58.549343109 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:58.549465895 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:58.727721930 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:58.727797031 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:58.905813932 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:58.906033039 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:59.084090948 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:59.084156990 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:59.264991999 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:59.592714071 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:59.771071911 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:14:59.771136045 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:14:59.949075937 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:00.008645058 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:00.186767101 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:00.596941948 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:00.775299072 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:00.999468088 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:01.177527905 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:01.177594900 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:01.355778933 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:01.443119049 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:01.621146917 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:01.621206999 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:01.799375057 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:01.799451113 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:01.977488041 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:01.977579117 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:02.155426979 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:02.155495882 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:02.333401918 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:02.333503008 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:02.511629105 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:02.511728048 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:02.689788103 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:02.689851999 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:02.867952108 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:02.868052959 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:03.046191931 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:03.046282053 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:03.106699944 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:03.106796980 CET	49747	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:03.224853039 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:03.284934998 CET	19483	49747	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:05.122256041 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:05.302783966 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:05.302897930 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:05.306479931 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:05.486901999 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:05.487000942 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:05.667423010 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:05.667489052 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:05.847923040 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:05.848006964 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:06.028732061 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:06.028835058 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:06.209331036 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:06.209443092 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:06.390006065 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:06.390113115 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:06.570606947 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:06.570688009 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:06.751173019 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:06.751281977 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:06.931878090 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:06.931960106 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:07.112504959 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:07.112617016 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:07.293467045 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:07.293566942 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:07.474090099 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:07.474162102 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:07.654701948 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:07.654784918 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:07.835832119 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:07.835931063 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:08.016417980 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:08.016479969 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:08.196815014 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:08.196913958 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:08.377696991 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:08.377906084 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:08.558686018 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:08.558767080 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:08.739343882 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:08.739409924 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:08.919930935 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:08.920025110 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:09.100539923 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:09.100877047 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:09.281327963 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:09.281385899 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:09.461903095 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:09.462007999 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:09.642507076 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:09.642708063 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:09.823214054 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:09.823278904 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:10.003822088 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:10.004038095 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:10.184768915 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:10.184968948 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:10.375011921 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:10.375072002 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:10.555999041 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:10.556088924 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:10.736710072 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:10.736907005 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:10.917433977 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:10.917520046 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:11.098315954 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:11.098541975 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:11.279241085 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:11.279330015 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:11.460019112 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:11.460118055 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:11.640717983 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:11.640780926 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:11.821430922 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:11.821512938 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:12.001857996 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:12.002054930 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:12.183146954 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:12.183217049 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:12.363558054 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:12.363748074 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:12.544131041 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:12.544229984 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:12.724634886 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:12.724819899 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:12.905379057 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:12.905559063 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:13.086359978 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:13.086505890 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:13.266725063 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:13.266807079 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:13.447289944 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:13.447351933 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:13.627815962 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:13.627980947 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:13.811378956 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:13.811451912 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:13.991734028 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:13.991821051 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:14.172230005 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:14.172328949 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:14.352775097 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:14.352855921 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:14.533248901 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:14.533307076 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:14.713680983 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:14.713753939 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:14.894345045 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:14.894458055 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:15.074939966 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:15.075017929 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:15.255376101 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:15.255450964 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:15.435870886 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:15.435926914 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:15.616322041 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:15.616425037 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:15.796730995 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:15.796823025 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:15.977319956 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:15.977440119 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:16.157834053 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:16.157911062 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:16.338815928 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:16.338974953 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:16.519294024 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:16.519373894 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:16.700361967 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:16.700442076 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:16.880970955 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:16.881021023 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:17.062475920 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:17.227447987 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:17.407845020 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:17.516463041 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:17.696927071 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:17.718664885 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:17.791420937 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:17.791486979 CET	49748	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:17.899059057 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:17.973124027 CET	19483	49748	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:19.797775030 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:19.978398085 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:19.978538990 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:19.981780052 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:20.161995888 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:20.162098885 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:20.342410088 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:20.342468977 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:20.522851944 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:20.522948027 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:20.703346968 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:20.703442097 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:20.884043932 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:20.884135008 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:21.066729069 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:21.066831112 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:21.247163057 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:21.247253895 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:21.427516937 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:21.427625895 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:21.608016968 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:21.608082056 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:21.788378954 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:21.788484097 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:21.968801975 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:21.968921900 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:22.149208069 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:22.149307966 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:22.329675913 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:22.329756021 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:22.510173082 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:22.510266066 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:22.691428900 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:22.691581011 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:22.872128010 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:22.872215986 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:23.053183079 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:23.053271055 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:23.233652115 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:23.233751059 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:23.414120913 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:23.414213896 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:23.594707012 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:23.594886065 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:23.776386976 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:23.776513100 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:23.957062960 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:23.957117081 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:24.138005972 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:24.138114929 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:24.318437099 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:24.318541050 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:24.499105930 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:24.499187946 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:24.680089951 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:24.680181026 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:24.860481977 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:24.860582113 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:25.040967941 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:25.041106939 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:25.221537113 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:25.221621037 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:25.402071953 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:25.402153969 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:25.582493067 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:25.582578897 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:25.763183117 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:25.763267040 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:25.943593025 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:25.943677902 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:26.124070883 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:26.124169111 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:26.304465055 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:26.304529905 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:26.488327026 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:26.488421917 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:26.668839931 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:26.669050932 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:26.849451065 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:26.849514008 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:27.029887915 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:27.029970884 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:27.211379051 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:27.211498022 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:27.391846895 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:27.391916037 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:27.572331905 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:27.572431087 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:27.752775908 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:27.752968073 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:27.933350086 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:27.933429003 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:28.113964081 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:28.114046097 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:28.294408083 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:28.294490099 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:28.485125065 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:28.485235929 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:28.665617943 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:28.665709972 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:28.846019983 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:28.846137047 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:29.029664993 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:29.029848099 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:29.210318089 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:29.210406065 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:29.390778065 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:29.390909910 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:29.571420908 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:29.571609974 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:29.757520914 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:29.757632971 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:29.938091040 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:29.938183069 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:30.118556023 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:30.118748903 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:30.299068928 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:30.299160957 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:30.479587078 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:30.479767084 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:30.660180092 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:30.660267115 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:30.840672970 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:30.840751886 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:31.021182060 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:31.021246910 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:31.201565027 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:31.201646090 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:31.388463020 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:31.388550043 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:31.572295904 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:31.572364092 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:31.752821922 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:31.753036022 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:31.933439016 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:31.933531046 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:32.113986969 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:32.114207029 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:32.294708967 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:32.294913054 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:32.475445986 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:32.475536108 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:32.655889034 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:32.655970097 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:32.836333036 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:32.836420059 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:33.016772985 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:33.017031908 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:33.197346926 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:33.197453976 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:33.377861977 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:33.377950907 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:33.558341026 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:33.558434963 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:33.742260933 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:33.742331982 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:33.922941923 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:33.923022032 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:34.103454113 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:34.103533030 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:34.284468889 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:34.284646034 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:34.465712070 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:34.465776920 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:34.646142006 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:34.646226883 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:34.826587915 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:34.826666117 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:35.006967068 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:35.007070065 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:35.187347889 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:35.208197117 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:35.388504028 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:35.388581038 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:35.569055080 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:35.771295071 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:35.951673031 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:35.951729059 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:36.132184029 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:36.173017979 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:36.353339911 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:36.353408098 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:36.533793926 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:37.131506920 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:37.311965942 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:37.312025070 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:37.492382050 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:37.560563087 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:37.560642958 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:39.573672056 CET	49749	19483	192.168.2.4	18.157.68.73
Jan 4, 2024 15:15:39.673623085 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:39.754199982 CET	19483	49749	18.157.68.73	192.168.2.4
Jan 4, 2024 15:15:39.851664066 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:39.851761103 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:39.855429888 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:40.033204079 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:40.033268929 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:40.211399078 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:40.211489916 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:40.389278889 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:40.389400959 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:40.567620039 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:40.567706108 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:40.745599031 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:40.745671034 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:40.924037933 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:40.924266100 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:41.102431059 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:41.102555990 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:41.280332088 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:41.280431986 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:41.458805084 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:41.458908081 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:41.636780977 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:41.636898041 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:41.814835072 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:41.814924955 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:41.993002892 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:41.993094921 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:42.170928955 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:42.171020031 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:42.348799944 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:42.348862886 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:42.526707888 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:42.526825905 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:42.704724073 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:42.704813004 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:42.882627010 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:42.882728100 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:43.060899973 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:43.060992002 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:43.238672972 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:43.238780022 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:43.423685074 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:43.423803091 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:43.603208065 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:43.603318930 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:43.805233955 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:43.805319071 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:43.983582020 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:43.983690977 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:44.184483051 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:44.184581995 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:44.362447977 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:44.362554073 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:44.540175915 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:44.540256023 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:44.718194962 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:44.718259096 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:44.896322012 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:44.896425009 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:45.074497938 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:45.074606895 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:45.252660036 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:45.252742052 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:45.430665970 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:45.430799007 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:45.608977079 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:45.609069109 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:45.787235022 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:45.787362099 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:45.965213060 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:45.965306997 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:46.143240929 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:46.143357038 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:46.321100950 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:46.321180105 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:46.499162912 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:46.499247074 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:46.677072048 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:46.677151918 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:46.854926109 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:46.854984045 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:47.032968998 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:47.033027887 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:47.210747004 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:47.210850000 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:47.389527082 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:47.389709949 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:47.567805052 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:47.567866087 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:47.747915030 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:47.747988939 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:47.925920963 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:47.925997019 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:48.107197046 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:48.107297897 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:48.284997940 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:48.285093069 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:48.462925911 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:48.463005066 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:48.640738010 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:48.640811920 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:48.818641901 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:48.818715096 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:48.996505976 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:48.996568918 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:49.174606085 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:49.174690962 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:49.352493048 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:49.352580070 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:49.530529976 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:49.530622005 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:49.708528042 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:49.708626986 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:49.886760950 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:49.886823893 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:50.064842939 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:50.064922094 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:50.243043900 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:50.243155956 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:50.420985937 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:50.421066046 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:50.599915981 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:50.599993944 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:50.777887106 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:50.778012037 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:50.955995083 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:50.956068039 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:51.133946896 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:51.134027004 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:51.311888933 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:51.312001944 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:51.490025043 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:51.490103960 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:51.667942047 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:51.668020010 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:51.848037004 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:51.848109961 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:52.026001930 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:52.091240883 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:52.269083977 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:52.269138098 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:52.446901083 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:52.446955919 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:52.624955893 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:52.625010967 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:52.802944899 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:52.802999973 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:52.980803967 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:53.210432053 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:53.388346910 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:53.388420105 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:53.566407919 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:53.566463947 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:53.744452953 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:53.744524002 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:53.922559023 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:53.922672033 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:54.100630999 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:54.100704908 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:54.278707027 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:54.278800964 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:54.460608006 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:54.460706949 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:54.638720989 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:54.638916969 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:54.816792965 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:54.816988945 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:54.994888067 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:54.994976044 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:55.172842026 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:55.172910929 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:55.351457119 CET	19483	49750	18.192.93.86	192.168.2.4
Jan 4, 2024 15:15:56.542416096 CET	49750	19483	192.168.2.4	18.192.93.86
Jan 4, 2024 15:15:56.720324039 CET	19483	49750	18.192.93.86	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2024 15:12:04.545624018 CET	59589	53	192.168.2.4	1.1.1.1
Jan 4, 2024 15:12:04.650311947 CET	53	59589	1.1.1.1	192.168.2.4
Jan 4, 2024 15:13:13.528142929 CET	57895	53	192.168.2.4	1.1.1.1
Jan 4, 2024 15:13:13.634999990 CET	53	57895	1.1.1.1	192.168.2.4
Jan 4, 2024 15:14:26.840591908 CET	54390	53	192.168.2.4	1.1.1.1
Jan 4, 2024 15:14:26.948213100 CET	53	54390	1.1.1.1	192.168.2.4
Jan 4, 2024 15:15:39.575319052 CET	49248	53	192.168.2.4	1.1.1.1
Jan 4, 2024 15:15:39.672338963 CET	53	49248	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 4, 2024 15:12:04.545624018 CET	192.168.2.4	1.1.1.1	0x3200	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 4, 2024 15:13:13.528142929 CET	192.168.2.4	1.1.1.1	0xd5aa	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 4, 2024 15:14:26.840591908 CET	192.168.2.4	1.1.1.1	0x2093	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 4, 2024 15:15:39.575319052 CET	192.168.2.4	1.1.1.1	0x6042	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 4, 2024 15:12:04.650311947 CET	1.1.1.1	192.168.2.4	0x3200	No error (0)	2.tcp.eu.ngrok.io	3.127.138.57	A (IP address)	IN (0x0001)	false
Jan 4, 2024 15:13:13.634999990 CET	1.1.1.1	192.168.2.4	0xd5aa	No error (0)	2.tcp.eu.ngrok.io	3.126.37.18	A (IP address)	IN (0x0001)	false
Jan 4, 2024 15:14:26.948213100 CET	1.1.1.1	192.168.2.4	0x2093	No error (0)	2.tcp.eu.ngrok.io	18.157.68.73	A (IP address)	IN (0x0001)	false
Jan 4, 2024 15:15:39.672338963 CET	1.1.1.1	192.168.2.4	0x6042	No error (0)	2.tcp.eu.ngrok.io	18.192.93.86	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:11:48
Start date:	04/01/2024
Path:	C:\Users\user\Desktop\b8UsrDOVGV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\b8UsrDOVGV.exe
Imagebase:	0x4d0000
File size:	37'888 bytes
MD5 hash:	B7DD9DD7470AF783D5D955B455D58CAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1618553751.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:11:54
Start date:	04/01/2024
Path:	C:\Users\user\AppData\Roaming\Svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Svchost.exe"
Imagebase:	0x200000
File size:	37'888 bytes
MD5 hash:	B7DD9DD7470AF783D5D955B455D58CAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.4076153599.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 94%, ReversingLabs Detection: 88%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:12:01
Start date:	04/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Svchost.exe" "Svchost.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:12:01
Start date:	04/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:12:13
Start date:	04/01/2024
Path:	C:\Users\user\AppData\Roaming\Svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Svchost.exe" ..
Imagebase:	0x10000
File size:	37'888 bytes
MD5 hash:	B7DD9DD7470AF783D5D955B455D58CAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:12:23
Start date:	04/01/2024
Path:	C:\Users\user\AppData\Roaming\Svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Svchost.exe" ..
Imagebase:	0x6a0000
File size:	37'888 bytes
MD5 hash:	B7DD9DD7470AF783D5D955B455D58CAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:12:31
Start date:	04/01/2024
Path:	C:\Users\user\AppData\Roaming\Svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Svchost.exe" ..
Imagebase:	0xd00000
File size:	37'888 bytes
MD5 hash:	B7DD9DD7470AF783D5D955B455D58CAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	37
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00CBA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CBA6B9

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9e7f2c5bfc3c0e2dbd098f85660414110ad70a1ec9cd206f4f2fc388f489ef73
Instruction ID: f198f9bcff69a7625f8a716dfbde009e86fa6b455d5e782fb62134288771e824
Opcode Fuzzy Hash: 9e7f2c5bfc3c0e2dbd098f85660414110ad70a1ec9cd206f4f2fc388f489ef73
Instruction Fuzzy Hash: 9F3193B55093806FE722CB25DC45B96BFF8EF16314F08849AE984CB292D375E909C772

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4156D530,00000000,00000000,00000000,00000000), ref: 00CBA40C

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ad583b6f9da3f9ff8e17fa54404647c85f36bb8085edac5a4d1577d6d4145148
Instruction ID: db2cdd96e7dff9920acad07be21227dbf80ce00ce7986262364b6300a6300af9
Opcode Fuzzy Hash: ad583b6f9da3f9ff8e17fa54404647c85f36bb8085edac5a4d1577d6d4145148
Instruction Fuzzy Hash: 3F317375505740AFE722CF15DC84F92BBF8EF15710F08849AE985CB692D364E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,4156D530,00000000,00000000,00000000,00000000), ref: 00CBA4F8

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 64d68bd9b62b9f60efeee4819be1d5090cd3c9cf15da490e9133a5ac9fdfd4ac
Instruction ID: a1a98a3d8315fcc56e591b612729e2a45322e5cd25ba4e4cb4c2c44d10159f20
Opcode Fuzzy Hash: 64d68bd9b62b9f60efeee4819be1d5090cd3c9cf15da490e9133a5ac9fdfd4ac
Instruction Fuzzy Hash: 33218E725047806FD7228F11DC44FA7BFB8EF56210F08849AE985DB652D264E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAA07 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00CBAA86

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: e072db8494a88f7460756ce63a604322a68a252cac0f54a79410b04efe863f7e
Instruction ID: 2a19e59e32fb85a6a8e7419be80f5dcdee724848ea293f2fe81603c2274a3820
Opcode Fuzzy Hash: e072db8494a88f7460756ce63a604322a68a252cac0f54a79410b04efe863f7e
Instruction Fuzzy Hash: 372171B1509380AFD711CB25DD45B92BFF8EF16314F0984DAE884DB262E234E908DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CBA6B9

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: cf555663cc402e858f52e28c967fec0cfe2c6aa758169e891185a23be07d6c76
Instruction ID: e339bc29ed6477b356eed684053813bad1bb6833da5e08c05b73dbbfcef0628f
Opcode Fuzzy Hash: cf555663cc402e858f52e28c967fec0cfe2c6aa758169e891185a23be07d6c76
Instruction Fuzzy Hash: 4921C2B56042009FE720CF26DD45BA6FBE8EF14314F08886AED84CB745E775E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4156D530,00000000,00000000,00000000,00000000), ref: 00CBA40C

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2b7bc127d6fe6613b9b600c9bf5041b176e274419491d1211f7f3a03fe297a75
Instruction ID: 835c037b17b8e99dc36510af0d20d419f2affc1702f21eac07b6e97fae1a78dc
Opcode Fuzzy Hash: 2b7bc127d6fe6613b9b600c9bf5041b176e274419491d1211f7f3a03fe297a75
Instruction Fuzzy Hash: D8218C75600204AFE720CE16DC84FA6B7ECEF14710F08846AE985CB651D7B4E909CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,4156D530,00000000,00000000,00000000,00000000), ref: 00CBA4F8

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 940ede7f47f62828e2f6cf827260a16bc3ee405d27337fd362d002530d4a7d9d
Instruction ID: 587c4f2b1da37b738c4240178736eed98778507b79806ef19b45847640a0db72
Opcode Fuzzy Hash: 940ede7f47f62828e2f6cf827260a16bc3ee405d27337fd362d002530d4a7d9d
Instruction Fuzzy Hash: 6E11BE72500700AFEB31CE16DC44FA6BBECEF14714F04846AED859AB51D374EA08CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA2D2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00CBA330

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8d515995ae0e774bdf57ce3e54fcd4aaed7a71decc6ef2e9256f3425517ddf15
Instruction ID: 9d1cd877101b9d24c70f98487c98e89261953e0e1e7b2c4fc3a1ce54a7f88b7f
Opcode Fuzzy Hash: 8d515995ae0e774bdf57ce3e54fcd4aaed7a71decc6ef2e9256f3425517ddf15
Instruction Fuzzy Hash: 00212C7140D3C05FD7138B259C55A62BFB49F57224F0984DBDD848F2A3D269A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAC24 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00CBAC80

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: b73ec943489311a925384160b4d459fe5441e33ab514192216c96e2826b2bd3d
Instruction ID: 329d4d69b9828a8c05c58d1668d99b478b4d58b70310cda7e4cf0da0642e8cc7
Opcode Fuzzy Hash: b73ec943489311a925384160b4d459fe5441e33ab514192216c96e2826b2bd3d
Instruction Fuzzy Hash: 4B1163715093809FD712CF25DC95B52BFB8DF46210F0984EBED85CB652D275E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA8A4 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00CBA903

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c9ed11e0bea354ce9180e584093664aa9e808c114aa07b8821a011283fcd7805
Instruction ID: 023ad8eba1eed01082d201295f98216bf4e0724fce714c3a0a65278e64ca7bd4
Opcode Fuzzy Hash: c9ed11e0bea354ce9180e584093664aa9e808c114aa07b8821a011283fcd7805
Instruction Fuzzy Hash: 3311B6715043809FDB11CF25DC45B96BFE8EF56220F0984AAEC85CB652D235E944CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAA3E Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00CBAA86

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 31924e573c63808444c299ee0c6eb94c02c09cab7b52332890dbfccd21bf6813
Instruction ID: d01dbc97e369c24dc5368d0d9bcdbc8b9cd57b0a7ecf1a61c3cebf288b51e917
Opcode Fuzzy Hash: 31924e573c63808444c299ee0c6eb94c02c09cab7b52332890dbfccd21bf6813
Instruction Fuzzy Hash: 3B1152716002409FEB20CF5ADD45796FBE8EF14710F08846ADD89DB751E674E904DE72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA8C6 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00CBA903

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a6989e3e94031313c98e1be176e57e54a1b6cc1c12e636a01e6c72126065f292
Instruction ID: 403cab50658733424beefcac990bf7f0b9465b934c58ea3748cc65bff9a3baf4
Opcode Fuzzy Hash: a6989e3e94031313c98e1be176e57e54a1b6cc1c12e636a01e6c72126065f292
Instruction Fuzzy Hash: 55019671A002409FDB10CF1AD9447A6FBE4EF04320F0884AADD85CF751E775E948DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAC46 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00CBAC80

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: a2e6ca9b4d744a25c7a0025a6330adfe764a50ce89c40a2a5b903b5a940509fd
Instruction ID: be2c54aef8aa2e0f15a9593644144cfd896617be7f10234e29c45ec2d770ed70
Opcode Fuzzy Hash: a2e6ca9b4d744a25c7a0025a6330adfe764a50ce89c40a2a5b903b5a940509fd
Instruction Fuzzy Hash: F30180716042009FDB10CF1AD9847A6BBE8DF04320F08C4AADD89CF752E375E908CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA2FE Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00CBA330

Memory Dump Source

Source File: 00000000.00000002.1685521771.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cba000_b8UsrDOVGV.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 10edd8744ca56b72aa2f9d5c554ddfbc8889ff56c0a31081c6ffd9f29f0da819
Instruction ID: 99d843ec6cf2173fdcd4ed252f354d9c0f0c66636d9dcd21a74d13bf7cb130d4
Opcode Fuzzy Hash: 10edd8744ca56b72aa2f9d5c554ddfbc8889ff56c0a31081c6ffd9f29f0da819
Instruction Fuzzy Hash: 2CF081359042409FDB20CF0AD9847A1FBE4EF04324F08C4AADD894F762D375E908CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 04C90958 Relevance: .5, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a5cc46d06128c8585986849080116c147d80900734faf9e924942f339df09c
Instruction ID: 5b2690789be6be6d2aa8e019ee31ba111be4fbc110c54e081f2085499111473a
Opcode Fuzzy Hash: 99a5cc46d06128c8585986849080116c147d80900734faf9e924942f339df09c
Instruction Fuzzy Hash: C0025935700210DFCB18EBB9D455A6E77E6EF88308B244479D406DB3A9EF39AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04C9031B Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19d23090a4ee2311ef5c2d31ca13dfb87b61b7e5511bb7245b3616e78cd1995
Instruction ID: 5276e7b3e489bd23b979402636fdddfdbda8840155e6261342e767668fb22711
Opcode Fuzzy Hash: d19d23090a4ee2311ef5c2d31ca13dfb87b61b7e5511bb7245b3616e78cd1995
Instruction Fuzzy Hash: DC510F317002018FCB18ABBA941467D77E3EF85348B1845AAE402DB3A6DF39DD0697A6

Uniqueness

Uniqueness Score: -1.00%

Function 04C9035D Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc549d089bdcb93f3ed96346a634d1d225349757e261ee8ee97f60c5120fda25
Instruction ID: 51951c4348a63de0bf96d8224dd8ad616c65854a495eb5b244473e0d33fd3aa4
Opcode Fuzzy Hash: fc549d089bdcb93f3ed96346a634d1d225349757e261ee8ee97f60c5120fda25
Instruction Fuzzy Hash: C051E031B002009FCB18BBBA94156BE37E7EB85344B04457AE402DB3A5EF39DD0697A2

Uniqueness

Uniqueness Score: -1.00%

Function 04C90368 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8243cb1e18dd3a939cc8e6406ed7523d33e2cf3c2723aa3720d0c9a0cd88b5a8
Instruction ID: 25392da379088d2af7e234998cca6284b037c84094cc4c8a474c85eb7fe6888f
Opcode Fuzzy Hash: 8243cb1e18dd3a939cc8e6406ed7523d33e2cf3c2723aa3720d0c9a0cd88b5a8
Instruction Fuzzy Hash: A351E131B002109FCB18BBBA94156BE36E7EFC5345B04447AE402DB3A5EF39DD0697A6

Uniqueness

Uniqueness Score: -1.00%

Function 04C903BD Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb96a49360ebf729d6afddc9e4a5e463e547327e681550e11cc9cada2a63db3
Instruction ID: 2c7502f558b00018132f0e5614c69ff42a13189795d48b448304bcaa40eed8ac
Opcode Fuzzy Hash: fcb96a49360ebf729d6afddc9e4a5e463e547327e681550e11cc9cada2a63db3
Instruction Fuzzy Hash: D741B131B001118FCB58B7BA94156BD36E7AFC5348B08447AE402EB3E5EF399D0697A6

Uniqueness

Uniqueness Score: -1.00%

Function 04C90088 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba999c366f22dfbcf514979c5430a64e8b9c16c85937789f62f91721de31e55
Instruction ID: c49a5346fc25a58b86424ba941ea0d80e71083455b507ba53a334079bb3fa111
Opcode Fuzzy Hash: 7ba999c366f22dfbcf514979c5430a64e8b9c16c85937789f62f91721de31e55
Instruction Fuzzy Hash: 8C511135205242CFC724FFB9E585A9977B3EB94208744893ED0059B36EDB385D0BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A605E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685367823.0000000000A60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75fcf4f498925a55abb05386e63c4b2504353d861898c235984f293c7d20f34
Instruction ID: aa1588e71d5573d07cdaa1674b42cebad9162f4eabb9de2bf53ddf8dd08966a7
Opcode Fuzzy Hash: b75fcf4f498925a55abb05386e63c4b2504353d861898c235984f293c7d20f34
Instruction Fuzzy Hash: EE018BB65097805FD7118F06AC40862FFE8EB86620749C49BEC4D9B751D235B908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04C90889 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1927fdfde5dbe9b2e1efef8b44ff5661bcd459b6fd9279a0bc5166348e62cc48
Instruction ID: a73241c349f08efad32aae61859df5990df3501aa6128847a442ed95f0a4ce0f
Opcode Fuzzy Hash: 1927fdfde5dbe9b2e1efef8b44ff5661bcd459b6fd9279a0bc5166348e62cc48
Instruction Fuzzy Hash: DF012D30604302CFC704FB78E8594997BE1EB84309B01892EE486CB3AADB35C8099B92

Uniqueness

Uniqueness Score: -1.00%

Function 00A60606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685367823.0000000000A60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27076b3cf566c763ccc91e3fe28a4a2eb0a3aae1fe409fd6df83764b81a980bc
Instruction ID: a4a66d97a01cdb692e088b23c5415bdd68fff7f10700ea502fac028a73c37e1e
Opcode Fuzzy Hash: 27076b3cf566c763ccc91e3fe28a4a2eb0a3aae1fe409fd6df83764b81a980bc
Instruction Fuzzy Hash: 67E092B66006004B9650CF0BFC41452F7D8EB84630708C47FDC0D8BB01E235B508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685510610.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb2000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7f78bd4fcc6288fdb48920b54f481eb413a9ea14d433beffbb234a4127893e
Instruction ID: d6d1d56fb0522395c2fb073143ac1953ac6baafc22537adc879b7205c2522706
Opcode Fuzzy Hash: cf7f78bd4fcc6288fdb48920b54f481eb413a9ea14d433beffbb234a4127893e
Instruction Fuzzy Hash: E4D02E392406D04FD3228A0CC2A8BC53BD4AF41704F0A08F9A800CBB63CB28DA80EA00

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685510610.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb2000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ed65dc29493f34555542321c28f52a97fa63083cd99c855e1e46fb965e19aa
Instruction ID: d7c098431b7827cf404d9970e6b389af26da723f89ccbc8eab7ade2f369289fb
Opcode Fuzzy Hash: 37ed65dc29493f34555542321c28f52a97fa63083cd99c855e1e46fb965e19aa
Instruction Fuzzy Hash: 56D05E342002814BC725DA0CC6D4F9937D8AB45714F0648E8AC208B772C7A8D9C0DA10

Uniqueness

Uniqueness Score: -1.00%

Function 04C90069 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685841405.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c90000_b8UsrDOVGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0085bf275f90b8d59db3796835b4f7f9b5157d5769bef08c515b422fffb9ae8
Instruction ID: ac94caab2378792f7fda985089b672511cddb77214a9282951fb5b2d403f3137
Opcode Fuzzy Hash: f0085bf275f90b8d59db3796835b4f7f9b5157d5769bef08c515b422fffb9ae8
Instruction Fuzzy Hash: 4EA00285650B0097C69126643CB52D22375E4813122E901524C0643709601EA90F1E31

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Svchost.exePID: 6212, Parent PID: 6176COMMON

Execution Graph

Execution Coverage:	17.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.5%
Total number of Nodes:	154
Total number of Limit Nodes:	7

Executed Functions

Function 027BB5BF Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 027BB63F

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4260daeca1a00bab99d129bfd02fb86cc5f5c1ae3d151c28006a343e8f33547c
Instruction ID: 1d3ff24de3789b782003d9b2544242d6d51067a1524ca1ed48f100f103d3cd5c
Opcode Fuzzy Hash: 4260daeca1a00bab99d129bfd02fb86cc5f5c1ae3d151c28006a343e8f33547c
Instruction Fuzzy Hash: CC21BF75509780AFEB238F25DC44B92BFB4EF06314F09849AED848B563D274E908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 027BB7FB Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 027BB871

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: f5ff40e79e3735da921e316afa9822116aec1d86f3cab5c0b97ab7cb99539660
Instruction ID: edd21066d2065dedfd8c74f26c4f6736b5be27a549c5d3070546817575db7160
Opcode Fuzzy Hash: f5ff40e79e3735da921e316afa9822116aec1d86f3cab5c0b97ab7cb99539660
Instruction Fuzzy Hash: AA21AE714097C0AFDB238B20DC45A92FFB0EF16214F0984CBED844B1A3D265A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 027BB5F6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 027BB63F

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 8f130a32ea44e18eeac516f371f0cdb5c4803a8ae445eaf724c89ef438936fa8
Instruction ID: ec013d7b37533b3f39a3fd5368548963d7a5a0e956f70fe906aefeb0efc419de
Opcode Fuzzy Hash: 8f130a32ea44e18eeac516f371f0cdb5c4803a8ae445eaf724c89ef438936fa8
Instruction Fuzzy Hash: 951170715006449FEB21CF65D984BA6FBE4EF08228F08C86AED458B661D375E818DF61

Uniqueness

Uniqueness Score: -1.00%

Function 027BB836 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 027BB871

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2ec1230a953e1186461d1244b5cd147a6424124beba1f7edc0eb7ef804597bca
Instruction ID: a742b0aea172b750d16589fcf2451f93a2dd8419a02fdb8e676e839e7e2f5cfe
Opcode Fuzzy Hash: 2ec1230a953e1186461d1244b5cd147a6424124beba1f7edc0eb7ef804597bca
Instruction Fuzzy Hash: 14018F318046409FEF21CF15D985B61FBE0EF08224F08D4AADD455A761D375E418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 050B1120 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 050B1147

Memory Dump Source

Source File: 00000001.00000002.4078222974.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50b0000_Svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 665f0f16ddb3477fad90916d9bc5c4ce0fcc9b20bfba413d184360f9e8c95431
Instruction ID: d7ce51ba47e56dc21c301736011ff0483a6a7e0b39d3b416e8caea2fe877504c
Opcode Fuzzy Hash: 665f0f16ddb3477fad90916d9bc5c4ce0fcc9b20bfba413d184360f9e8c95431
Instruction Fuzzy Hash: 7B41A431B002118FDB14EF79D894AAE77E2AF84204B188479D809DF39ADB38CD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050B1117 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 050B1147

Memory Dump Source

Source File: 00000001.00000002.4078222974.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50b0000_Svchost.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4afa74cde794c202721ecf0871950f372561ef9b93da68b682513e665496cdfc
Instruction ID: e1d204a044610afe8706aa0fcb1486c4e49eedbf047a3083714137a6717cdd98
Opcode Fuzzy Hash: 4afa74cde794c202721ecf0871950f372561ef9b93da68b682513e665496cdfc
Instruction Fuzzy Hash: 1E3193316002118FDB14DF75D8E4AAE77E6AF88204F188479D809DF39ADB38CD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0555266A Relevance: 1.6, APIs: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05552731

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 81fa92f51e9ef98bc192ebceeb30f683caea47d610ad4203d3eca138601e5b58
Instruction ID: e9a8121fec0f00e9d8a831593b065133baf0a9903e4ce3c62d3702277452fd6a
Opcode Fuzzy Hash: 81fa92f51e9ef98bc192ebceeb30f683caea47d610ad4203d3eca138601e5b58
Instruction Fuzzy Hash: 3E318F76504744AFE722CB21DC44FA7BBFCFF15210F08859AE9858B662D324E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055505E3 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 055506AA

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 08ec525f5d71eb59826ecc2d3877a7c55ba6f06139e3e99066c0d58bf12fb403
Instruction ID: 110e95ad1519773c7cb140ec0a8df6dfad416b9c2d30d08de891e70a417d5ecf
Opcode Fuzzy Hash: 08ec525f5d71eb59826ecc2d3877a7c55ba6f06139e3e99066c0d58bf12fb403
Instruction Fuzzy Hash: 9E319C6510E7C06FD3138B218C65A61BFB4EF87610F0E45CBD8C48F6A3D229A919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05552D5C Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05552E08

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: b9f34d8288bf52e2348a4af35c54d9d0e981e48ca6bf4c37f91e06452c4b7d7c
Instruction ID: 5be88b6a5ad6c9a8d976d63fb776239b53913470cbd5789f8d3af783554150c4
Opcode Fuzzy Hash: b9f34d8288bf52e2348a4af35c54d9d0e981e48ca6bf4c37f91e06452c4b7d7c
Instruction Fuzzy Hash: C9318C7550E3C05FE7138B608C54B96BFB8AF07210F0984DBE884CF1A3D6689809C772

Uniqueness

Uniqueness Score: -1.00%

Function 05551418 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 055514DF

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: ce37f4dea725ac03f8eaf4d3d0136ab01c4bb04f3e846cc402907af33f481976
Instruction ID: 1196f3d8d2c42528ea53bb516b83febd144288716a70452563bf4e30d0cc0601
Opcode Fuzzy Hash: ce37f4dea725ac03f8eaf4d3d0136ab01c4bb04f3e846cc402907af33f481976
Instruction Fuzzy Hash: 15318FB1504344AFEB21CB51DC44FA6BBACEF15314F04899AFA899B691D274E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055516A6 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 05551766

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: cbeb605eff813b7637a5aff8c3e2fb91b69f3b9c724998f23710e6c9757accf2
Instruction ID: 3ede64d4beea3d56aa3e9c3503152caf3ba6615e4e758eb8cefe74b89deab5d1
Opcode Fuzzy Hash: cbeb605eff813b7637a5aff8c3e2fb91b69f3b9c724998f23710e6c9757accf2
Instruction Fuzzy Hash: 8C318E7150D3C06FD3138B258C61AA2BFB8AF47210F1981CBD8C4DF6A3D225A959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 027BAB1E Relevance: 1.6, APIs: 1, Instructions: 91
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 027BABD1

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b799697ee59efd9db56363f9d6042f63d3ebce847060de6cc6bea9ee3b85b09e
Instruction ID: 166a50e6cb9afea387054229d7f998a7deace89d5287b633e64f982a7937d86c
Opcode Fuzzy Hash: b799697ee59efd9db56363f9d6042f63d3ebce847060de6cc6bea9ee3b85b09e
Instruction Fuzzy Hash: C031A4724083846FE7228B61DC44FA7BFBCEF16214F08859AE985CB652D324E908C771

Uniqueness

Uniqueness Score: -1.00%

Function 027BA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 027BA6B9

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e63dfe039d82c069d277de6e4b7d0b7548199745fe36f6fb9f04be834423e789
Instruction ID: 8a11cdb443f6131b14ba06b89a6e9731d43589ba5f9ffe08de2c68084faf59f2
Opcode Fuzzy Hash: e63dfe039d82c069d277de6e4b7d0b7548199745fe36f6fb9f04be834423e789
Instruction Fuzzy Hash: E43191B55093806FE722CB25DC85F96BFF8EF06214F08849AE984CB692D375E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05551310 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055513AD

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: ccbbd408f8ee3c5c7df6313306995f554a87e1963c14cca0ea3bde220610f46b
Instruction ID: d2f167953a6e42697047cb2cc7b7272e796db7586851adb731c00e93d1f2b7fa
Opcode Fuzzy Hash: ccbbd408f8ee3c5c7df6313306995f554a87e1963c14cca0ea3bde220610f46b
Instruction Fuzzy Hash: 3531D7725097806FE7128F61DC55FA6BFB8EF16320F08849BE984CF592D2259909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05550C0C Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05550CA3

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 696b0b0a8dd92facc49e8b801257fa57211a07e04f09fcf5d908d254cf4db1eb
Instruction ID: f4fa3318d61c10c130b73dca82e742040e58657d077f58f2d0aa71c47366be17
Opcode Fuzzy Hash: 696b0b0a8dd92facc49e8b801257fa57211a07e04f09fcf5d908d254cf4db1eb
Instruction Fuzzy Hash: 27318471504344AFEB21CF64DC45FA6BBE8FF55210F08849AE945DB652D274E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027BAE79 Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 027BAF1D

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2fc0c47c6b22175ad7396f21ccb7e24e1e7076d57e8017ae79d7cafc0159c16e
Instruction ID: 333b4533a17f5157c755b90cfc9b52512ea69b240dbb5ada3d3ff012aa90116c
Opcode Fuzzy Hash: 2fc0c47c6b22175ad7396f21ccb7e24e1e7076d57e8017ae79d7cafc0159c16e
Instruction Fuzzy Hash: D0319FB5504340AFEB21CF65DC85FA2BBF8EF05210F08849EE9858B652D375E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05552696 Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05552731

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0e83a3b4a66af00a195ce57f5b55a72274f40b42b2121fc9d67c3a8e4e227587
Instruction ID: 559608a8833e87a38cc1dc3824415b3ef08db531e1e7cb562e457f07c3a129d9
Opcode Fuzzy Hash: 0e83a3b4a66af00a195ce57f5b55a72274f40b42b2121fc9d67c3a8e4e227587
Instruction Fuzzy Hash: A521A076500604AFEB21DE25DC44FA7BBECFF18620F08856AED45DA651D734E4088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 027BA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 027BA40C

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f5d249f57e973262e9f13a7da43a72072c5f52c1f4d30b366510b1d7ad435b33
Instruction ID: 3ef9ec9001d92e812ac126289ddb959c6eef785a005cdd6732b24c57372693bc
Opcode Fuzzy Hash: f5d249f57e973262e9f13a7da43a72072c5f52c1f4d30b366510b1d7ad435b33
Instruction Fuzzy Hash: 5031A075508780AFE722CF15CC84F92BFF8EF16214F08849AE985CB292D324E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0555143A Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 055514DF

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 66bf3953f95df699f4377ea8ce64eb2686b3728baa0c9c37b9c6c6436e102673
Instruction ID: 2bf7e640c33c391d96b00406a277ba496741ab0f1d66483e78c4d1b9b2cf69e3
Opcode Fuzzy Hash: 66bf3953f95df699f4377ea8ce64eb2686b3728baa0c9c37b9c6c6436e102673
Instruction Fuzzy Hash: 3E21A171500204AEFB21DF61DC84FAAFBACEF14724F04885AFA89DA685D774E508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027BA120 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 027BA1C2

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: b282f2fe330ce98e238c3484d659bc6b9684b625236ca64db0af45c2333d2812
Instruction ID: ce3c36900807ab8397ecb40058bff5cf3d9fca07490afc63833f0e2a1cdb6d03
Opcode Fuzzy Hash: b282f2fe330ce98e238c3484d659bc6b9684b625236ca64db0af45c2333d2812
Instruction Fuzzy Hash: B921D17140D3C06FD3128B218C65B66BFB4EF87610F1985CBD8C4DF693D229A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 027BB430 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 027BB4BE

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1fecc824b27d14085f437bdce39c0c669df527ec6a0b0af9081d897c1bb7d393
Instruction ID: bebcd01d8f5c553df184379a3d1cfa8e50e4a3287fe52e081230b74eee1f56de
Opcode Fuzzy Hash: 1fecc824b27d14085f437bdce39c0c669df527ec6a0b0af9081d897c1bb7d393
Instruction Fuzzy Hash: 61215C715093C05FD7138B65DC55B92BFB8AF17224F0D84DBD984CB6A3D224A808C771

Uniqueness

Uniqueness Score: -1.00%

Function 05552909 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05552998

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: da4ebe06fe5f2db9deb54235b3dac88c49e940e8d192e2f7a7d29148d4e74472
Instruction ID: acad010f7698ce8b6cb632a00b9d42b6eb02084cf3478231bdf7b48ad5e1ad83
Opcode Fuzzy Hash: da4ebe06fe5f2db9deb54235b3dac88c49e940e8d192e2f7a7d29148d4e74472
Instruction Fuzzy Hash: 17215C755083849FDB22CF25D854AA2BFF8FF06210F09849AED84CB262D234A948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 027BAF74 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 027BB009

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 54b7b4440040cbfb24b5b4d0ad49f343f3fc68ffb68992ad80d2521efdac26a4
Instruction ID: 8baab4f443ae96676d1a02dd81af92653cb91fd02898946050b45b935633a093
Opcode Fuzzy Hash: 54b7b4440040cbfb24b5b4d0ad49f343f3fc68ffb68992ad80d2521efdac26a4
Instruction Fuzzy Hash: 4321F5B54097806FE7128B15DC85FA2BFBCEF56324F0985D6ED808B2A3D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 027BA462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 027BA4F8

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ecf31449ecb46d63672ff26a516b08f90bf942a99c8a676b71c21d1be1b1e51f
Instruction ID: f647868cdd855dacee75e243761fb3c805a7915845bd2a0921259e5ef78404e3
Opcode Fuzzy Hash: ecf31449ecb46d63672ff26a516b08f90bf942a99c8a676b71c21d1be1b1e51f
Instruction Fuzzy Hash: 972190725083806FE722CF11DC44FA7BFB8EF56214F08849AE985DB692D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055506D6 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05550762

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: c34d43b6e130018140cb102966f1762d6570cb573027a4825273e7b4400186f0
Instruction ID: d49b7c18aace5d4994a400ddbedd289680efef705f5c063cc39794b0b10e66fa
Opcode Fuzzy Hash: c34d43b6e130018140cb102966f1762d6570cb573027a4825273e7b4400186f0
Instruction Fuzzy Hash: 04217171505780AFE721CF51DC49F56FFB8EF05220F04889AE9858B696D275E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05550DC2 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05550E56

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: ac92a91a348409a220a64d627c8a9ecb8d8ddc4e2be12cb633638ecf44934992
Instruction ID: dfdeffbe1c83449f4b40b1e221f3441421417dff4b48e9f7707d7a6f78f3b626
Opcode Fuzzy Hash: ac92a91a348409a220a64d627c8a9ecb8d8ddc4e2be12cb633638ecf44934992
Instruction Fuzzy Hash: C721B171405380AFEB22CB15DC44F96FFF8EF19224F14889EE9848B692D375E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027BAE9E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 027BAF1D

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 177bf0e15d8217962110d37dbd241fad575d0e25b2ccfa19231a5f3899f49807
Instruction ID: 46ecb625bcd0acb1ea4103a6b9eafe72de1c7fc99dc64ceb3d74897e781a9ee0
Opcode Fuzzy Hash: 177bf0e15d8217962110d37dbd241fad575d0e25b2ccfa19231a5f3899f49807
Instruction Fuzzy Hash: 0821C1B2500200AFEB21DF65DD45FA6FBE8EF09214F04886AE985DB755D375E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05550C32 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05550CA3

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: d5ebd4fdb820a07a3834844b60af6a8b8c2c6ffc2755441e0d82735af99364d4
Instruction ID: bf5da7400c73bd358e5dff5eac3214e312c9e6c1d3608a94bc516e4a65fb5ad3
Opcode Fuzzy Hash: d5ebd4fdb820a07a3834844b60af6a8b8c2c6ffc2755441e0d82735af99364d4
Instruction Fuzzy Hash: 8921B071600204AFEB20DE24DC45FAAFBE8FF14320F04886AED45DA695D674E5088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05550B26 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05550BB8

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1915d734875d62700af19283893173724e9cbbeb7f4933f0e9c82f296b60a4ef
Instruction ID: eebdcc18a3f075f14adb6b25269b18471bc61318c35291101dffd98431650cd4
Opcode Fuzzy Hash: 1915d734875d62700af19283893173724e9cbbeb7f4933f0e9c82f296b60a4ef
Instruction Fuzzy Hash: CB219071508380AFD721CF11DC84F66BBF8EF05324F08849AE985CB6A2D265E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027BAB52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 027BABD1

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fe13d3bbdee7e3768afe47e3cc160130c5b260e9a7bef3f8a3488da7750f2ead
Instruction ID: 3ff528fe66fe2a92c1ac6fcca7962c84ce8147c8f5da5354eb5b35a5b7092b1e
Opcode Fuzzy Hash: fe13d3bbdee7e3768afe47e3cc160130c5b260e9a7bef3f8a3488da7750f2ead
Instruction Fuzzy Hash: 3921AEB2500204AFEB21EF15DC84FABFBECEF24214F04846AE9459B655D734E948CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05552E6B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05552EE7

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 39ac7e8585e68f5cb422dd09f0566cdf2618713b86422ca9d4674b89c244c3e5
Instruction ID: 910e5915b0ca384acb75f85d4a814fa44cd62fa45ab8af8207f0bce5f45aa0cd
Opcode Fuzzy Hash: 39ac7e8585e68f5cb422dd09f0566cdf2618713b86422ca9d4674b89c244c3e5
Instruction Fuzzy Hash: 4621C5715083806FE722CB11DC45FA6BFB8EF45220F08849BF944DB256D274E908CB75

Uniqueness

Uniqueness Score: -1.00%

Function 027BA646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 027BA6B9

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b329cf8981b3319e87d836172bf4ed255826a37eb19e07e85c6c208d6412e264
Instruction ID: 12ae5b032ca1bbdba66eec5dbc07596dc7971010daf9575a7aaffb94ad61b422
Opcode Fuzzy Hash: b329cf8981b3319e87d836172bf4ed255826a37eb19e07e85c6c208d6412e264
Instruction Fuzzy Hash: 2521CFB5604200AFE721DF25DD85FA6FBE8EF14224F04886AED84CB745D775E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05551059 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055510DC

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 6d80ee536d8a5c55f4d9895559eaf9b7d0cabb70cf1abf6496b5e4cd86df6dbe
Instruction ID: cdb69b959b48a96148b05642efb8df3b4259776cb3a6fbdcaba3bc80f823e72d
Opcode Fuzzy Hash: 6d80ee536d8a5c55f4d9895559eaf9b7d0cabb70cf1abf6496b5e4cd86df6dbe
Instruction Fuzzy Hash: 2F2195714097846FD712CB10DC45F56FFB8EF46220F0885DBE9849B256D278A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0555046E Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055504ED

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8c236b160cfcceb44c3ff0650d4bc480c4bb64ec85ac3cb145ff160ab0b7d7a5
Instruction ID: 9913c17f200f13175c4d318fa84a7dcde55bc6a85a448194bb4bc2472ba71756
Opcode Fuzzy Hash: 8c236b160cfcceb44c3ff0650d4bc480c4bb64ec85ac3cb145ff160ab0b7d7a5
Instruction Fuzzy Hash: 8A219271405380AFDB22CF51DC44FA6BFB8EF55320F08849AE9849B656D235E508CB75

Uniqueness

Uniqueness Score: -1.00%

Function 027BA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 027BA40C

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 843ad45e31f2cf57cfeca163a5595247dc16a4aa38d8abe0e04ba185cdcb85d0
Instruction ID: 63b1c96aaa90647f22b11b3fc5ac062b24575662c2778279ac4f357852ca4131
Opcode Fuzzy Hash: 843ad45e31f2cf57cfeca163a5595247dc16a4aa38d8abe0e04ba185cdcb85d0
Instruction Fuzzy Hash: 3021AC71600200AFEB21DE15CC84FA6B7ECEF14614F08846AED45DB691D774E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05552843 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055528BF

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 9844c52712ca2f43ec11b416a8c0d259fce0cae90ee673dcff2b8f2757f60144
Instruction ID: 0be0594a44915492490590795d965b137200267c201df247d1a796774778948c
Opcode Fuzzy Hash: 9844c52712ca2f43ec11b416a8c0d259fce0cae90ee673dcff2b8f2757f60144
Instruction Fuzzy Hash: B221C3715093846FE722CF50DC44FA6FFB8EF55220F08849BE9849B656C274E908C772

Uniqueness

Uniqueness Score: -1.00%

Function 027BAC19 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 027BAC97

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 556bf8ef5f89e4c0d5e53a40330fa6c855c542b5c5479cef1e9bb1e6c8f931fa
Instruction ID: 31b29846829159d8a9671bfa984b0be90d096bb824b0e3c5a6b86f433f10b82e
Opcode Fuzzy Hash: 556bf8ef5f89e4c0d5e53a40330fa6c855c542b5c5479cef1e9bb1e6c8f931fa
Instruction Fuzzy Hash: 0821D4715093C45FEB12CF25DC85B92BFE4EF06224F0984EAE8858B267D274A849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027BB68C Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027BB6F8

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4914a832575c7c0676e26933c64fb1ed03b2ef285d10fee3db145fef325ddc6d
Instruction ID: 2a5641f1d59a0ce7119a57f7a04e02835f14d8eb1cedbb8bb01833efa27c4ad8
Opcode Fuzzy Hash: 4914a832575c7c0676e26933c64fb1ed03b2ef285d10fee3db145fef325ddc6d
Instruction Fuzzy Hash: 8B21AE725093C05FEB138B25DC55B92BFB4AF47224F0984DAEC858F663D274A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 027BB741 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,F600D256,00000000,?,?,?,?,?,?,?,?,6C8B3C58), ref: 027BB7B2

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 70bf1222ea15b4b6ca0a3d1848784fa690613fa2a3b73adfe7bfadc5d727a434
Instruction ID: 535d63d41b8dcdca00446e0fadd6748da28b781961cd293debbc7b57786e43c3
Opcode Fuzzy Hash: 70bf1222ea15b4b6ca0a3d1848784fa690613fa2a3b73adfe7bfadc5d727a434
Instruction Fuzzy Hash: 86215E715093809FDB12CB65DC95B92BFF8EF06214F0984EAE985CB662D234A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055506F6 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05550762

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 96a70c5f1f8e7208ce39a3c478d0e700381344b860e33dcd13231a9af8463d1a
Instruction ID: 4cea3fef683bea90fb65f42701fb2f9956c646d55d742faaf36da18f52c945e2
Opcode Fuzzy Hash: 96a70c5f1f8e7208ce39a3c478d0e700381344b860e33dcd13231a9af8463d1a
Instruction Fuzzy Hash: E021D171500200AFEB21CF65DC48FA6FBE4FF08320F04886AED858A696D375E409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05550DE2 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05550E56

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7407c9905da8632a3a25671fcd6cc028f3654107c782b77ed805fa612967432f
Instruction ID: 20a36225cb2f0caa56a8fdc1182b8c0cf86a62adf605f45eedf44ce5a9e6d038
Opcode Fuzzy Hash: 7407c9905da8632a3a25671fcd6cc028f3654107c782b77ed805fa612967432f
Instruction Fuzzy Hash: 4521AE71500200AFEB21CF15DD49FA6FBE8EF18324F14886AE9858B695D375E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 055515EA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05551666

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: a9ff588feab2860964e61c3e2e6a11ec69b4b411ab322bca7d1d3e7888792cca
Instruction ID: d0884702d526b33af2cb93478cf19a28e02e9eccab8d5f639217c29fbed625e6
Opcode Fuzzy Hash: a9ff588feab2860964e61c3e2e6a11ec69b4b411ab322bca7d1d3e7888792cca
Instruction Fuzzy Hash: EB219271508780AFDB228F51DC54B62BFF4FF06210F0988DAED858B662D235A818DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05551982 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05551A0B

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a442e7dc967a6bdec6b68dd7bded3ee7fac18cf7c5f55fb79d05cc99f360d8a7
Instruction ID: 628c8eaba13d08e28f37e66b2915b6bea245f9e8a3eebd2bad98a8ff439ff9d0
Opcode Fuzzy Hash: a442e7dc967a6bdec6b68dd7bded3ee7fac18cf7c5f55fb79d05cc99f360d8a7
Instruction Fuzzy Hash: C011E4714043406FE721CB11DC85FA6FFB8EF45320F04809AFD849B692C278E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 027BA486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 027BA4F8

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2308ed1b3ad60d40287cf0a3acc6dc52eebefc301bb8572dc2717b14bd91577b
Instruction ID: 2d62a2167069cd8f1f3e3565f71cddc62c1cf8ce027661ddfbca4ec00275e600
Opcode Fuzzy Hash: 2308ed1b3ad60d40287cf0a3acc6dc52eebefc301bb8572dc2717b14bd91577b
Instruction Fuzzy Hash: 6711BE72500600AFEB32DE15DC44FA6BBECEF14614F04846AED45DA795D374E908CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05550B46 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05550BB8

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 30a03f77b9a3b8c1ab52216637190a78bdb1f5eafa72bbf8e0fc397dc61fdab6
Instruction ID: 85fc0fc96bf934d2f10c7bd87dd4a32cdb27915a58cea8500ff08048439674e4
Opcode Fuzzy Hash: 30a03f77b9a3b8c1ab52216637190a78bdb1f5eafa72bbf8e0fc397dc61fdab6
Instruction Fuzzy Hash: 2911AF72504200AFEB21CF15DC84FAAB7E8FF14734F04846AED458A6A5D774E448CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 027BADB4 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 027BAE1E

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: a694f5bc0a5fa72a2aa39c2c9839dece989fb904b69d613b9c73fe72df4da5e9
Instruction ID: 49e7c381d960b6ec17c844640a6545657dd5a5c80d4a0c01ca29df0720387ee9
Opcode Fuzzy Hash: a694f5bc0a5fa72a2aa39c2c9839dece989fb904b69d613b9c73fe72df4da5e9
Instruction Fuzzy Hash: F11184755043809FDB21CF65DC86B97BFE8EF45210F0984AAE985DB652D334E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027BA710 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027BA780

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6e1427ba3d8e34d7eeac448613e9e853c4d3f7d80c53318b2746daa44878e4f8
Instruction ID: 2ce8a7ce5cff932a1491156675d71f91790a68ec0637e4b12258381da9d2df58
Opcode Fuzzy Hash: 6e1427ba3d8e34d7eeac448613e9e853c4d3f7d80c53318b2746daa44878e4f8
Instruction Fuzzy Hash: 0E21D5B15083809FD712CF55DC85B52BFA8EF02324F09849BED448B653D334A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0555134E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055513AD

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 8eaaa56c83e924f68adab788dae03a42e423cfaf548f9de2a52e61d09f6262e3
Instruction ID: 8ad2d8cd75f4d66697e96a6a59ca5ac2ae74f3c19f1b941692dd9854caa64bce
Opcode Fuzzy Hash: 8eaaa56c83e924f68adab788dae03a42e423cfaf548f9de2a52e61d09f6262e3
Instruction Fuzzy Hash: BD11D371900600AFEB21CF55DC44FAABBE8EF14224F14886AEE85CAA55D375E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05552E8E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05552EE7

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 868f7a3b377b882ce5fea6d05dbc9c70f65041f2581dbdf0029890356e5e6b9b
Instruction ID: 11f9e563bd379614177c04ccd33448bdd00809a3aa3693448c2b9b2f62f82b09
Opcode Fuzzy Hash: 868f7a3b377b882ce5fea6d05dbc9c70f65041f2581dbdf0029890356e5e6b9b
Instruction Fuzzy Hash: 0C110176500200AFEB21CF15EC45FAABBA8EF14224F04886AFD45CF645D374E808CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 027BB947 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027BB9B2

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aca1f71b1012604296d80586064e21f0e68bdfeed1f2257dbcb23138ac494fe4
Instruction ID: 67b4b20ab844a0559d7d1f8783a450b82c805800d2c9970c81e3e50f4685704c
Opcode Fuzzy Hash: aca1f71b1012604296d80586064e21f0e68bdfeed1f2257dbcb23138ac494fe4
Instruction Fuzzy Hash: 59118171409780AFDB228F51DC44B62FFF4EF4A310F0888DAED858B662C275A918DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05552DB2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05552E08

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 87395347a44d2c45b904e02da7d4e0abfe1242e23f7dbb6406f932af4ff62400
Instruction ID: b71d5a35ea450f74fc69063779058247209259d6c48013b3344d77e2520a5d7c
Opcode Fuzzy Hash: 87395347a44d2c45b904e02da7d4e0abfe1242e23f7dbb6406f932af4ff62400
Instruction Fuzzy Hash: 1C11C175600200AFEB21CB15DC85FBAB7E8EF54224F04847AED45DB645D678E9088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0555048E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055504ED

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ab4b01271f011f46f9e86bfaf064199567b903f60f6a021faa084d9e6892c74a
Instruction ID: 10ff5110a1249bb97145034c71914eaafb897a18510e1f9aee6a51b6f8f1b8e1
Opcode Fuzzy Hash: ab4b01271f011f46f9e86bfaf064199567b903f60f6a021faa084d9e6892c74a
Instruction Fuzzy Hash: A711BF72500200EFEB21CF55EC44FAAFBA8EF54324F04886AED459A695D375E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05552F4F Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(00000000,?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05552FCB

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 79050d630f0f41d0637f0bf375cf899abaef79a538245d5fc63b7ba642b933da
Instruction ID: b7993fb438508a2262b5588caa2d7671c1bc45abcafb4b035af6b2768b2a8cf8
Opcode Fuzzy Hash: 79050d630f0f41d0637f0bf375cf899abaef79a538245d5fc63b7ba642b933da
Instruction Fuzzy Hash: 011160715097806FEB22CF61CC58F57BFB8AF06614F08889AF985DB196D274E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05552866 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055528BF

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 0ec9aa66527c77ea4feb3b77d5e972e1851019672bb54774116f25f138a9c6bd
Instruction ID: d8404d7dfe3536b5b8858dcc8387f3be0fa23304af0c431a3806f77f2f6a16aa
Opcode Fuzzy Hash: 0ec9aa66527c77ea4feb3b77d5e972e1851019672bb54774116f25f138a9c6bd
Instruction Fuzzy Hash: FA11CE75900204AFEB21CF54DC84FA6FBA8EF54324F08886AED449B645C278E5088BB5

Uniqueness

Uniqueness Score: -1.00%

Function 027BAA81 Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 027BAAE0

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ccaec2e02aef01c71cc752c02bb1c4367aa1a64e4995574e845e24b15d2acd4a
Instruction ID: b55c4b030bf2c104f468cfb6a942c0ccbe8d01c25f9b33ca9547eea128e750fe
Opcode Fuzzy Hash: ccaec2e02aef01c71cc752c02bb1c4367aa1a64e4995574e845e24b15d2acd4a
Instruction Fuzzy Hash: CA1160715093C06FDB128B25DC55B92BFB4DF46220F0984DAED848F253C275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05551086 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 055510DC

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: a3c34b667347f00ae0506f483ed304544852cd887bb7d107dbe68e1598a90bd9
Instruction ID: 5fc36d24e7aab786b201d0c1566e38fd57db2ccdb75489f1b150ffcbc8e6b180
Opcode Fuzzy Hash: a3c34b667347f00ae0506f483ed304544852cd887bb7d107dbe68e1598a90bd9
Instruction Fuzzy Hash: BE11C271500644AFEB21CF15DC45FA6FBA8EF44224F1488A7ED849F755D278E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 027BA2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 027BA330

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 28aee5a4084c49bd838ca0344e90c98403388788521e21085f87c81ee8fddfa8
Instruction ID: d63fcabcffa7e47f06f443b5f6e0f35a8cf9d055c3990fd27da0b17a28024a53
Opcode Fuzzy Hash: 28aee5a4084c49bd838ca0344e90c98403388788521e21085f87c81ee8fddfa8
Instruction Fuzzy Hash: 7A118F718093C06FDB238B15DC54BA2BFB4DF47220F0980CBED848B263C265A908D772

Uniqueness

Uniqueness Score: -1.00%

Function 055519A2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05551A0B

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d35eb2af0737bc31a0185d73169eb82b28ebfd427ffa09fa60fd26a8a7f0083d
Instruction ID: 8bfad37db181df23b90a5d857ea26d481fb2d810064bfbdb7d4a703c31a2f830
Opcode Fuzzy Hash: d35eb2af0737bc31a0185d73169eb82b28ebfd427ffa09fa60fd26a8a7f0083d
Instruction Fuzzy Hash: 3F11E571500740AEE721CB15DC45FB6FBA8EF14724F14845AEE449AB85D3B8F908CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 05552942 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05552998

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: c29cf73153a719481b746ecc9e4fc1f11ff5c43d51c66c636da4188eceba1714
Instruction ID: b7cae8060336bbda043b77324e0886ba2881e6cdd3c60be04a8163ed88a35c59
Opcode Fuzzy Hash: c29cf73153a719481b746ecc9e4fc1f11ff5c43d51c66c636da4188eceba1714
Instruction Fuzzy Hash: 421149796042009FEB20CF55D884FA6FBE8FF04220F4888AADD49CB751D334E488CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027BA078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 027BA0D5

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b38b58a5c32806384bd7e24e83b81a35ced10be51b8f847ff64d46fe561330f3
Instruction ID: b4bf1afef23c6b646bb0f101a49439f4986357bffd7280cfeaa31666a34aaeb4
Opcode Fuzzy Hash: b38b58a5c32806384bd7e24e83b81a35ced10be51b8f847ff64d46fe561330f3
Instruction Fuzzy Hash: 3C119171509780AFDB22CF55DC44B52FFB4EF46224F08889AED848B652C275A918CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027BB476 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 027BB4BE

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5c68bdd969bb9d1c33e6731004463885b1638b05c3c0e6d02ac481c19788d9f4
Instruction ID: 8997e9134b927f2840a7667be17a1a5e89eab98e6c930c37d462722cac179f0c
Opcode Fuzzy Hash: 5c68bdd969bb9d1c33e6731004463885b1638b05c3c0e6d02ac481c19788d9f4
Instruction Fuzzy Hash: 8411A1716042409FEB21CF2AD885BA6FBE8EF14224F0884AAED49DB751D334E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027BADD6 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 027BAE1E

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 5c68bdd969bb9d1c33e6731004463885b1638b05c3c0e6d02ac481c19788d9f4
Instruction ID: 8e9b084ac39335e37831363d659c8a9836dd91aad42a7b8162c1bd02f2eb5a6e
Opcode Fuzzy Hash: 5c68bdd969bb9d1c33e6731004463885b1638b05c3c0e6d02ac481c19788d9f4
Instruction Fuzzy Hash: B51182756002409FEB21DF19D886B96FBE8EF04610F0884BADD49DB741D334E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 027BAFB6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 027BB009

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 02140098977c8f00c75b665a4bfaca717e5978a375f3e01b618055941f8eb29f
Instruction ID: 1c72c5bbe1d8954577a0db03ae7e745eb88801c057e3d8ee38dbfef9392c1b9e
Opcode Fuzzy Hash: 02140098977c8f00c75b665a4bfaca717e5978a375f3e01b618055941f8eb29f
Instruction Fuzzy Hash: 2401C071504204AEE721CB05DD84FA6BBA8EF54628F14C0AAED449B785D378E908CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 027BA9E4 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 027BAA3B

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 4f4f4dd5d06fc1082103677a4aaf76907777cdd97f3e280f70f7092a306a24fc
Instruction ID: 91102f8cff3b1ce4a1fdfe71b7080e28ed1c9f03d6d956e2280ce9f64ecf805d
Opcode Fuzzy Hash: 4f4f4dd5d06fc1082103677a4aaf76907777cdd97f3e280f70f7092a306a24fc
Instruction Fuzzy Hash: 0011A071408380AFDB22CF55DD84B52FFB4EF46220F0984DAED858F262D279A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027BB772 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,F600D256,00000000,?,?,?,?,?,?,?,?,6C8B3C58), ref: 027BB7B2

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 01fae5ad85e66dbe0b180203b93c6e29bb51c71fc192c6e0bb198f5dd0921dae
Instruction ID: d359a149a6aff872ec3b025da0b12cd24add38a9a36420099bcb92ed7981fc40
Opcode Fuzzy Hash: 01fae5ad85e66dbe0b180203b93c6e29bb51c71fc192c6e0bb198f5dd0921dae
Instruction Fuzzy Hash: 1C11C0716002459FEB21CF29D884BA6FBE8EF04224F08C4ABED49CBB51D374E408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0555161A Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05551666

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: c6a46afee39d7b3c10600656c253812d152d53d2c441bd46fa2bc1cdf5bfee99
Instruction ID: 21563ac0e65c12fc19bd6675192b45c1e0770c473f5401bee268b45368dad130
Opcode Fuzzy Hash: c6a46afee39d7b3c10600656c253812d152d53d2c441bd46fa2bc1cdf5bfee99
Instruction Fuzzy Hash: DF117C31504A449FEB21CF55D944B62FFE5FF08220F0888AAED868BA62D335E418CF61

Uniqueness

Uniqueness Score: -1.00%

Function 027BAC5A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 027BAC97

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 99897c0a8107619bf678ab5fcec8a6a7aa3331f9e33d077ec26dec2c76cf006b
Instruction ID: 1633b076f2cebb81a72ebe9533ca0cb4927d977fb4fc1689434e0566f6f7c86e
Opcode Fuzzy Hash: 99897c0a8107619bf678ab5fcec8a6a7aa3331f9e33d077ec26dec2c76cf006b
Instruction Fuzzy Hash: 5901F5716012449FEB21DF19DC847A6FBE4EF04221F08C4AADD45DF742D374E404CA61

Uniqueness

Uniqueness Score: -1.00%

Function 027BA172 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 027BA1C2

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: eda924722a9716c7a88cabf7e376757ff347b1c6f5a1cf35602535ee88943c9e
Instruction ID: 220b5db8684cde4ee73e8136cb65d159ff6cfac8f3445240192e82393ee9ab4a
Opcode Fuzzy Hash: eda924722a9716c7a88cabf7e376757ff347b1c6f5a1cf35602535ee88943c9e
Instruction Fuzzy Hash: 5001BC71A00200ABD310DF16DC86B66FBE8EB88A20F14816AED489BB45D735F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05551716 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 05551766

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 26dbf1e290a6ce1be665b3a336c9f73cb3ab8a7629a12dcefb58aeb67510bad3
Instruction ID: be03b58b03c6f69df2491001ec46cdbaca38ca3bad824eab9e9231907b9fdafc
Opcode Fuzzy Hash: 26dbf1e290a6ce1be665b3a336c9f73cb3ab8a7629a12dcefb58aeb67510bad3
Instruction Fuzzy Hash: 5A01B171A00200ABD310DF16DC45B66FBE8EB88A20F14811AED489BB45D735F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 027BB96E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027BB9B2

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 158dcc3c402c45261b622a1e33e4d9db15d2333c1932fe160d3786c0ad975a01
Instruction ID: 68c088b9caa61baa79b7c3cc481d5e340069810687dab03d9ec54301d88144b0
Opcode Fuzzy Hash: 158dcc3c402c45261b622a1e33e4d9db15d2333c1932fe160d3786c0ad975a01
Instruction Fuzzy Hash: D501AD32404640DFDB22CF55D944B66FBE0EF08324F0888AAEE898A661C375E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 027BA74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027BA780

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 09730a11371ee311fea09a1ac26c6f20e06f4a73981e02fc45c5adb7d3d78244
Instruction ID: c195ee7e97fd201619282eed66a4af0b968fed2dcd93a1a7cdba2e37db8b5de7
Opcode Fuzzy Hash: 09730a11371ee311fea09a1ac26c6f20e06f4a73981e02fc45c5adb7d3d78244
Instruction Fuzzy Hash: 6D01D4715042409FEB11DF15D9847A5FBE4DF04220F08C4ABDD459FB56D374E408CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 027BB6C6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027BB6F8

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1735ec27c107fecc4c1f2b11206c5f1ed05a65c2845c13d268877ef94df71a0b
Instruction ID: 98ad293cbe73dca320c287fb30c7241748d1ec2f1e3e02d9415bc0893c87ad88
Opcode Fuzzy Hash: 1735ec27c107fecc4c1f2b11206c5f1ed05a65c2845c13d268877ef94df71a0b
Instruction Fuzzy Hash: 4701D4715042408FDB21CF19D985796FBE4EF44224F08C4ABDD499FB55C274E408CE72

Uniqueness

Uniqueness Score: -1.00%

Function 0555065A Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 055506AA

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: de557e5b95444bfb7b93b79ca9bf1decb59d79328a610838a7e37e82d0d707b3
Instruction ID: 47cad7c8c40ab76fa5f5df8a498790b062572241b5f8e574844c4a8e2ee0b4fc
Opcode Fuzzy Hash: de557e5b95444bfb7b93b79ca9bf1decb59d79328a610838a7e37e82d0d707b3
Instruction Fuzzy Hash: 8001A271500600ABD310DF16DC46B66FBE8FB88A20F14811AED489BB81D775F925CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05552F72 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(00000000,?,00000E24,F600D256,00000000,00000000,00000000,00000000), ref: 05552FCB

Memory Dump Source

Source File: 00000001.00000002.4078477653.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5550000_Svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: ac44f3a43ec7dd8d066691b62589e87deb96079095d2113bcd4ebccb8b734b74
Instruction ID: 109a6991163321d35b9fa60460c80fb248e7abb774ecf44bb55ab5178a993840
Opcode Fuzzy Hash: ac44f3a43ec7dd8d066691b62589e87deb96079095d2113bcd4ebccb8b734b74
Instruction Fuzzy Hash: A3011A70500740AFEB21CF65CC85F66BBECAF18614F148859B989DB695D678E804CB70

Uniqueness

Uniqueness Score: -1.00%

Function 027BA09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 027BA0D5

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: a68d90b74b724bcc1837c8cbc3fa78ac61544c25b398e9773b0d3a46eeb35be9
Instruction ID: 64432e865607fdfc5ae77de0eaa26826fd71f431cf2b887a14f09f59ed2d15c3
Opcode Fuzzy Hash: a68d90b74b724bcc1837c8cbc3fa78ac61544c25b398e9773b0d3a46eeb35be9
Instruction Fuzzy Hash: 7F01B1315046409FEB21DF55D984BA1FBE0EF48320F08C8AADD499F656D375E408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 027BAA06 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 027BAA3B

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 6f466a8be1b674a62f1fa4d5703eacb5a4302948fc67f57d8945a68354e5b034
Instruction ID: 1609ab05fd7a1c20687825cff3ecf965aa3ab14e499b04071afb2a5166b9be32
Opcode Fuzzy Hash: 6f466a8be1b674a62f1fa4d5703eacb5a4302948fc67f57d8945a68354e5b034
Instruction Fuzzy Hash: BD01DF319042409FEB21DF09D984BA2FBE4EF05220F08C8AADD499F756D379E408CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 027BAAAE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 027BAAE0

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d811c44c6cfd99ad5f68b56dec7a3335f44cfbd26661d338e74b52528f76ec68
Instruction ID: 9c733caaed292bf4d82b9cc14fae4ddf1a49217c4dfb8c8b8b37714d6ba624b5
Opcode Fuzzy Hash: d811c44c6cfd99ad5f68b56dec7a3335f44cfbd26661d338e74b52528f76ec68
Instruction Fuzzy Hash: 7301D1719042409FEB21DF15D9847A2FBE4EF44220F08C8AADD489F756D379E448CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 027BA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 027BA330

Memory Dump Source

Source File: 00000001.00000002.4075771478.00000000027BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ba000_Svchost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 32c6e93a7133bb44827b8fb2a339ce7aebe86d80ebafe6be75cf5f0b53296023
Instruction ID: 8fe2e28febd53c11ffa5314e404216e7daf574ff0967ca65ce28fa0d97f6fa12
Opcode Fuzzy Hash: 32c6e93a7133bb44827b8fb2a339ce7aebe86d80ebafe6be75cf5f0b53296023
Instruction Fuzzy Hash: 54F08C359042409FEB21DF09D9847A1FFE0EF04221F08C0AADD495F752D379E408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02801340 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4076041880.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2801000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad009d65ac27344247c99b71c4c6178c316ba5dc5573759e79cbb8743a6e7c77
Instruction ID: 3c56432fac53e45933165394650a22201679265d60c39f6391ae4c76fee8a17c
Opcode Fuzzy Hash: ad009d65ac27344247c99b71c4c6178c316ba5dc5573759e79cbb8743a6e7c77
Instruction Fuzzy Hash: 89216D3910D3C08FC703CB608855A55BFB1EF4B718F1A86DAD488CB6A3C33A8856CB52

Uniqueness

Uniqueness Score: -1.00%

Function 059622B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4078632251.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17cd08c058be45c4e7464ce6737c44e6c8676f9692c6e428105f7576ad25579
Instruction ID: 8c7b1f837c63562b5d344c42f069efb151268a15ac482d58b3bc8b430a9b9ce2
Opcode Fuzzy Hash: e17cd08c058be45c4e7464ce6737c44e6c8676f9692c6e428105f7576ad25579
Instruction Fuzzy Hash: 7711B6B5908341AFD350CF19D880A5BFBE4FB98664F14896EF99897311D231E9188FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0280127C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4076041880.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2801000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a457a13ae44df29b35e08526beb5f9304719e93543dd8b4022e910c27fa716
Instruction ID: 1432bbf49bca87e3d8dccb3f2ae5764cdeee62936b43a8dedbc48371c067c4dd
Opcode Fuzzy Hash: 71a457a13ae44df29b35e08526beb5f9304719e93543dd8b4022e910c27fa716
Instruction Fuzzy Hash: 2911E4382042849FD755CB54D984B26BBE1AB8971CF28C9ACE44D8BB92C73BD803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 02801244 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4076041880.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2801000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e561fd7ca1f4e2a5ccd5607ff373a856e17e95475ab2cb2bca0a42a7fc25944
Instruction ID: 5e0ef81a6f69db9f8cdf2f4061db9fa90d64f630432df9f0f046b905ee558e3c
Opcode Fuzzy Hash: 8e561fd7ca1f4e2a5ccd5607ff373a856e17e95475ab2cb2bca0a42a7fc25944
Instruction Fuzzy Hash: 7C215E7910D3C49FC707CB50C9A4B11BFB1AF4B714F1A85DAD4898BAA3C33A9816CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0596215C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4078632251.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65382417fb9333fdb671223bb7ecd08a9ee646c5dff218c07d64761439b565d9
Instruction ID: 162f4e7d8635a6128b10f04cd830e040ff5ac7014dfb3da4af7e437f279529c5
Opcode Fuzzy Hash: 65382417fb9333fdb671223bb7ecd08a9ee646c5dff218c07d64761439b565d9
Instruction Fuzzy Hash: 8E11FAB5908301AFD750CF09DC80E5BFBE8EB88660F14892EF95997311D231E908CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 027CB444 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4075827513.00000000027CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ca000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfafa62c6e79742ecfaf5e992fe35235c5a84dca9216defb4bb2bb50be69412
Instruction ID: 3fba2eecc8804ac02055b0ded27aeff008e2aa5a659d39ecc83890435e52a151
Opcode Fuzzy Hash: 2bfafa62c6e79742ecfaf5e992fe35235c5a84dca9216defb4bb2bb50be69412
Instruction Fuzzy Hash: C411FAB5908301AFD350CF09DC40E5BFBE8EB98660F14892EF95997311D231E908CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02801048 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4076041880.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2801000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c0e09748076c2fb87bfc6ebdc117b91751ae4a907fa1f5e22c6ab4ce1515bc
Instruction ID: 5efeb0293c7065ef62d0064077c1039b21ed9377e4c48f314fd6a45e710d5e24
Opcode Fuzzy Hash: 59c0e09748076c2fb87bfc6ebdc117b91751ae4a907fa1f5e22c6ab4ce1515bc
Instruction Fuzzy Hash: 1D01A2B65487806FD7118B45EC40852FFE8EF8623070984ABE8498B652D239B908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02801338 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4076041880.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2801000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3ffe0ab8b8bec43b0eca7ca5da45ad1ed39b609236ae5c53b800e7332b5d85
Instruction ID: 07252666d4d0f9ed36414c105984f025cf0685a36062e567b64e4978ddbd62fb
Opcode Fuzzy Hash: 0e3ffe0ab8b8bec43b0eca7ca5da45ad1ed39b609236ae5c53b800e7332b5d85
Instruction Fuzzy Hash: 91F01D39108644DFC706CB40D984B15FBA2FB89718F24CAADE94947B52C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0280106E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4076041880.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2801000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db65f45cb93e3768d43eac69ef2f2bc0872fcbac2cf8be750732ea54c257f17
Instruction ID: 7937a471374ebcc86ac0557f41829d756564d39da2429824aaf8a36141677542
Opcode Fuzzy Hash: 3db65f45cb93e3768d43eac69ef2f2bc0872fcbac2cf8be750732ea54c257f17
Instruction Fuzzy Hash: 71E092B6A046405B9650CF0AFC41452F7D8EB84631718C47FDC0D8B701D235F908CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 059621AB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4078632251.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f8be74dad80cce0d41ee6df3459ce310b2a0065cdef21e6abda0ff5ace0742
Instruction ID: 4e088e24577ba1145898629cf76ba2517fe3814fa11d8860efa60800a0abfe0e
Opcode Fuzzy Hash: 47f8be74dad80cce0d41ee6df3459ce310b2a0065cdef21e6abda0ff5ace0742
Instruction Fuzzy Hash: BBE092B290020467D6609E06AC45F53FB98DB80931F188566ED091A752D172B5148AB5

Uniqueness

Uniqueness Score: -1.00%

Function 05961BCF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4078632251.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a515e065827a26389723f91e212fcb60eac9335d08af80bede345d7113567520
Instruction ID: 5408e4bd90edcfc6a2e3add645c738f3775d6493cc67369236c5b81cf70ef4f8
Opcode Fuzzy Hash: a515e065827a26389723f91e212fcb60eac9335d08af80bede345d7113567520
Instruction Fuzzy Hash: 55E0D8B294020067D220DF06AC45F53FB98DB80931F18C567ED091B741D172F514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 05962323 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4078632251.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19b63768476d4f678971c412a6ca207edd9680b27b09350ad0b16966b042a69
Instruction ID: bb805c66b29f30223069fce4199328e666b3a81e7ae6ac6b83dca96ef68e4cad
Opcode Fuzzy Hash: c19b63768476d4f678971c412a6ca207edd9680b27b09350ad0b16966b042a69
Instruction Fuzzy Hash: 01E0D8B294020067D6608F06AC45F53FB98DB94931F18C567ED081B741D171F514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 027CB493 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4075827513.00000000027CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27ca000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c0c3e1bbeddcadf182d34b7e48a859ec53368351010e58c506eee3dca185de
Instruction ID: faa0001c6d326b2a601ba70ffd0beb453563b71b78ff90efe61152c99e51826e
Opcode Fuzzy Hash: a7c0c3e1bbeddcadf182d34b7e48a859ec53368351010e58c506eee3dca185de
Instruction Fuzzy Hash: 79E0D8B294020467D2208F06AC45F53FB98DB90A31F18C567ED095B742D171F914CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 027B23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4075739175.00000000027B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b2000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc5fabfb295ef84b8abbe658f77501f63cda702f2d75a004e34bbf287da885b
Instruction ID: d0f074b065167860a78439ce4e5fbed40c580f30bb1f7512c5800b71c1a94560
Opcode Fuzzy Hash: 9cc5fabfb295ef84b8abbe658f77501f63cda702f2d75a004e34bbf287da885b
Instruction Fuzzy Hash: BED02E393026D04FD3238A0CC2A8BC53BD4AF41708F0A08F9AC00CBB63CB28D880D600

Uniqueness

Uniqueness Score: -1.00%

Function 027B23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4075739175.00000000027B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b2000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0242d0a935e0634d7886a0fcd861a97a1ad8c4a2e9f6ea9fa54b1246b4b9d669
Instruction ID: 805eb4f7ec126a0dd15b181bc1ad345469a2d37100bc8ed22fbfdadb09632dcf
Opcode Fuzzy Hash: 0242d0a935e0634d7886a0fcd861a97a1ad8c4a2e9f6ea9fa54b1246b4b9d669
Instruction Fuzzy Hash: 68D05E342012814BC726DA0CC6D4F9937D4AF45718F0648E8AC108B762C7A4D8C0DA10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Svchost.exePID: 3584, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 04EC0310 Relevance: 3.9, Strings: 3, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[-j^, xrefs: 04EC0477, 04EC047C
[-j^, xrefs: 04EC0545, 04EC054A
-[-j^, xrefs: 04EC04DA, 04EC04DF

Memory Dump Source

Source File: 00000006.00000002.1929062378.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ec0000_Svchost.jbxd

Similarity

API ID:
String ID: [-j^$-[-j^$=[-j^
API String ID: 0-254388292
Opcode ID: 1236d53acfac69694dde2841d764c40f51244c34f6561a815ae6549835b3860f
Instruction ID: aac3842eee54585c567ea121cb268d88df4c99adb0ab06b68beff5d77ff748ee
Opcode Fuzzy Hash: 1236d53acfac69694dde2841d764c40f51244c34f6561a815ae6549835b3860f
Instruction Fuzzy Hash: EC511330B002118FC728ABB998506BE37E7ABC5348B58456DE402DB3D5EF39DC069B96

Uniqueness

Uniqueness Score: -1.00%

Function 04EC03BD Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[-j^, xrefs: 04EC0477, 04EC047C
[-j^, xrefs: 04EC0545, 04EC054A
-[-j^, xrefs: 04EC04DA, 04EC04DF

Memory Dump Source

Source File: 00000006.00000002.1929062378.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ec0000_Svchost.jbxd

Similarity

API ID:
String ID: [-j^$-[-j^$=[-j^
API String ID: 0-254388292
Opcode ID: dfda12bd8b254192c0d832fe3e351b60375a1fd35f202552e0df43b156f94a1d
Instruction ID: 531eebdbc135e8cb3143e4ceb6a4cf3afe7ffc81d35b3939cda224c1da23f9c6
Opcode Fuzzy Hash: dfda12bd8b254192c0d832fe3e351b60375a1fd35f202552e0df43b156f94a1d
Instruction Fuzzy Hash: A841DA31B001118BC728B7BD95106BE36D76FC5248B58457DD402EB3A5EF39CC069BE6

Uniqueness

Uniqueness Score: -1.00%

Function 025CA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 025CA6B9

Memory Dump Source

Source File: 00000006.00000002.1928726467.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25ca000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0a72f936950b373375dbe273b349bb905ddf3f72d53431ad8a34d8e3041bd125
Instruction ID: abb07391e1090daaf274a6244f9b1273d8faa6e9d5292ddafca1a78f85e2a808
Opcode Fuzzy Hash: 0a72f936950b373375dbe273b349bb905ddf3f72d53431ad8a34d8e3041bd125
Instruction Fuzzy Hash: C031CFB55093846FE712CB61CC84B96BFF8EF06214F18849AE984CB292E374E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 025CA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F761E865,00000000,00000000,00000000,00000000), ref: 025CA40C

Memory Dump Source

Source File: 00000006.00000002.1928726467.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25ca000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dae52c0285131003a42fbb799dfba85325dcec7f72f835e0a696ddfc4fe24257
Instruction ID: ad04b8c7771ab249ffc9152a20544663d6cb6dc788aa74e1d4656003a0a68745
Opcode Fuzzy Hash: dae52c0285131003a42fbb799dfba85325dcec7f72f835e0a696ddfc4fe24257
Instruction Fuzzy Hash: 29319E75509784AFE722CF51CC84F92BFF8EF06614F08849AE985CB692D324E909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 025CA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,F761E865,00000000,00000000,00000000,00000000), ref: 025CA4F8

Memory Dump Source

Source File: 00000006.00000002.1928726467.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25ca000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f5e698f2c5b62c877d479d2c80404df8fa7bf1c2353004de50b1d4db33b26cf5
Instruction ID: c579e7e89d31c53ce8974481530bcb2c1c5f99aeb7af467e708c5441f0eeab35
Opcode Fuzzy Hash: f5e698f2c5b62c877d479d2c80404df8fa7bf1c2353004de50b1d4db33b26cf5
Instruction Fuzzy Hash: B421B0725083846FEB22CF51DC44FA7BFB8EF06614F08849AE985CB652D364E808C771

Uniqueness

Uniqueness Score: -1.00%

Function 025CA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 025CA6B9

Memory Dump Source

Source File: 00000006.00000002.1928726467.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25ca000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 525a6856dbf27d39291b3a03f09c091464536540d556c3c95c49392fafcc4018
Instruction ID: 0d5313f24df621f3265972c85993f3dd07e3d148e97d35d21f4a310b69eda97f
Opcode Fuzzy Hash: 525a6856dbf27d39291b3a03f09c091464536540d556c3c95c49392fafcc4018
Instruction Fuzzy Hash: 7721DE71A00244AFE720DF65DD85BA6FBE8EF04224F14886EE9848B745E374E808CA75

Uniqueness

Uniqueness Score: -1.00%

Function 025CA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,F761E865,00000000,00000000,00000000,00000000), ref: 025CA40C

Memory Dump Source

Source File: 00000006.00000002.1928726467.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25ca000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: aa89d665e7b8662e9b388a7ae62e3044648c71c24c3e40c75acaca27c4bd7ae5
Instruction ID: 3cad51d1257d00de5db61f73d3d4c422d0280539ce7f115ad202b5149e19432c
Opcode Fuzzy Hash: aa89d665e7b8662e9b388a7ae62e3044648c71c24c3e40c75acaca27c4bd7ae5
Instruction Fuzzy Hash: 1F218C75600208AFEB21CF55CC88FA6BBECEF04614F18846AED45CB651E774E809CA75

Uniqueness

Uniqueness Score: -1.00%

Function 025CA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,F761E865,00000000,00000000,00000000,00000000), ref: 025CA4F8

Memory Dump Source

Source File: 00000006.00000002.1928726467.00000000025CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 025CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25ca000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8d8a934fb21564abda37dd5882c7dfcbda7963ea4faf4e2e16e4640f73f75fa2
Instruction ID: 34e8e859e9f0133890d96d06fd2a87a4d5fa62b2d94e6d1f00144ce7ba618e00
Opcode Fuzzy Hash: 8d8a934fb21564abda37dd5882c7dfcbda7963ea4faf4e2e16e4640f73f75fa2
Instruction Fuzzy Hash: 6811BE76600204AFEB21CE55DC84FA6BFECEF14614F14846AED459AB51E374E808CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 04EC0080 Relevance: .1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1929062378.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ec0000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ac1fede49c15924671d4b41de9aa0e432b339f4871361dcbfa40fc8a384cda
Instruction ID: c225cdcdfea9e79f246132fb8e875bc944899d6710dd005bdcedf3a9a4f167f6
Opcode Fuzzy Hash: 16ac1fede49c15924671d4b41de9aa0e432b339f4871361dcbfa40fc8a384cda
Instruction Fuzzy Hash: 9E513130605A92CBC714FF39ED85A9A77A3AB8424C7488D7DD005CB76EEB385D09DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04EC0018 Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1929062378.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ec0000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4190d20e5c723d28882309360325908305a5885805d393c63ad51e0736e0ada5
Instruction ID: 391beaa43e2184bf8a5b4b5a94528c7f277589b1e38ff6ab9af08c998669a9d2
Opcode Fuzzy Hash: 4190d20e5c723d28882309360325908305a5885805d393c63ad51e0736e0ada5
Instruction Fuzzy Hash: 87F05AA684E3C01FDB534B645CAA5E53FB09D2711034A05C3D882CB8A3E41D5A0FDB66

Uniqueness

Uniqueness Score: -1.00%

Function 02601047 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1928796333.0000000002601000.00000040.00000020.00020000.00000000.sdmp, Offset: 02601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2601000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e336f75b0342e2b2bafa9214f01a60da8584d8ba2d619f9b904cf7e1e0b4e5
Instruction ID: 47e5274d67c8cc29698247f0e49d36bfd74e7a04a852ba79db0f6590769adc6c
Opcode Fuzzy Hash: c7e336f75b0342e2b2bafa9214f01a60da8584d8ba2d619f9b904cf7e1e0b4e5
Instruction Fuzzy Hash: 0F0149B50087805FC3518B06EC40893BFE8DF8663030984ABEC898B722D275BD08CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0260106E Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1928796333.0000000002601000.00000040.00000020.00020000.00000000.sdmp, Offset: 02601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2601000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b63dc5b081347e175d8578caa2c970dec88688a7ba96f5344c018a87d01484
Instruction ID: 1108d1535dbcf2b8fffc51b5fcf933feb8e2ee3401d56cad5077d54469a92fcd
Opcode Fuzzy Hash: 46b63dc5b081347e175d8578caa2c970dec88688a7ba96f5344c018a87d01484
Instruction Fuzzy Hash: A3E092B66046408B9650CF0BEC45452F7D8EB88A30718C47FDC0D8BB01E275F508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 025C23F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1928715487.00000000025C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25c2000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459a9819f883e6fac73b8a71e41194b9719f93e7177c4673491e0679542e45ca
Instruction ID: bd7dc70f79c043a3e3821abe24909c1fa8509872774d41b0eb9701052b36f3bf
Opcode Fuzzy Hash: 459a9819f883e6fac73b8a71e41194b9719f93e7177c4673491e0679542e45ca
Instruction Fuzzy Hash: 24D05E7A2056D14FD3269A1CC6A8B953BE4BB55718F5A48FDAC00CB763CB78D581D600

Uniqueness

Uniqueness Score: -1.00%

Function 025C23BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1928715487.00000000025C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_25c2000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d26d5d760faf2536dce800fe2141a96f71df0d866a84b9c1fa2a07e3f6cf76
Instruction ID: 5451e17b5fc4485977eed7483c2ee699fe343d1b2839ecbbc85393679e8c38c6
Opcode Fuzzy Hash: b8d26d5d760faf2536dce800fe2141a96f71df0d866a84b9c1fa2a07e3f6cf76
Instruction Fuzzy Hash: DED05E343102814FC725DA0CC6D4F593BD4BB45B18F1648ECAC10CB762C7A8D8C0DA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Svchost.exePID: 4504, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05550310 Relevance: 3.9, Strings: 3, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[^k^, xrefs: 05550477, 0555047C
-[^k^, xrefs: 055504DA, 055504DF
[^k^, xrefs: 05550545, 0555054A

Memory Dump Source

Source File: 00000009.00000002.2023322687.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5550000_Svchost.jbxd

Similarity

API ID:
String ID: [^k^$-[^k^$=[^k^
API String ID: 0-3832217768
Opcode ID: 1a7d094b579c8261e6c1c2c76692f4cefe567da3d21b403e5095317a31a5a486
Instruction ID: 5045ad3f499b4e12708ed86583f5e574c8cebedbd1e1c95242c92fbac0359e11
Opcode Fuzzy Hash: 1a7d094b579c8261e6c1c2c76692f4cefe567da3d21b403e5095317a31a5a486
Instruction Fuzzy Hash: 9151FE307002008BD718EB7994686BE37E7BBC5384B048969E906DB3E0DF398C4687A2

Uniqueness

Uniqueness Score: -1.00%

Function 055503BD Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[^k^, xrefs: 05550477, 0555047C
-[^k^, xrefs: 055504DA, 055504DF
[^k^, xrefs: 05550545, 0555054A

Memory Dump Source

Source File: 00000009.00000002.2023322687.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5550000_Svchost.jbxd

Similarity

API ID:
String ID: [^k^$-[^k^$=[^k^
API String ID: 0-3832217768
Opcode ID: ab37992690d683c906f00588f20717d3bc78f03876ba30ab17bcd25e4f00b33b
Instruction ID: fbd97e2e9612653f4e5e2924718d5f174d65bc99e4b16a945ea8ef6ffa624a03
Opcode Fuzzy Hash: ab37992690d683c906f00588f20717d3bc78f03876ba30ab17bcd25e4f00b33b
Instruction Fuzzy Hash: DA41E231B002118BD718E77990686BD32E7AFD5688704496DE506EF3E4DF3D8C4687A2

Uniqueness

Uniqueness Score: -1.00%

Function 012BA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 012BA6B9

Memory Dump Source

Source File: 00000009.00000002.2022873809.00000000012BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12ba000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e234394b4bc356b2d343e9510bee8e8afca3323629514d55c736f3d875c4d91d
Instruction ID: 02ea0d0edd63ad69f45631709cc52841a58f49f54e164d7bfa49373e0fb684dd
Opcode Fuzzy Hash: e234394b4bc356b2d343e9510bee8e8afca3323629514d55c736f3d875c4d91d
Instruction Fuzzy Hash: 1E318FB55093806FE722CB25DC85B96BFF8EF06310F08849AE984CB293D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 012BA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7D8F8FA0,00000000,00000000,00000000,00000000), ref: 012BA40C

Memory Dump Source

Source File: 00000009.00000002.2022873809.00000000012BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12ba000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1d3a2e57694d26e3df9093fe3ba64241972a87da7c42eea392a25623393afd26
Instruction ID: 44daada3c385ec194121bca171b4c52ef8302b47949b12285547d2fd0b83e9a6
Opcode Fuzzy Hash: 1d3a2e57694d26e3df9093fe3ba64241972a87da7c42eea392a25623393afd26
Instruction Fuzzy Hash: D7318E75509780AFE722CF15DC84F92BBF8EF06310F08849AE985CB292D364E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012BA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,7D8F8FA0,00000000,00000000,00000000,00000000), ref: 012BA4F8

Memory Dump Source

Source File: 00000009.00000002.2022873809.00000000012BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12ba000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9f140467ff6736515fb5129cac3743e216b944ea763f35ea52c6727c495962bd
Instruction ID: 9fe3f08093a6cbe3c39bf43cfb2e3a024ae385803c9dfe1314c5b60adf02904b
Opcode Fuzzy Hash: 9f140467ff6736515fb5129cac3743e216b944ea763f35ea52c6727c495962bd
Instruction Fuzzy Hash: 302181725043806FE7228F15DC44FA7BFB8DF45310F08849AE985DB652D364E948C771

Uniqueness

Uniqueness Score: -1.00%

Function 012BA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 012BA6B9

Memory Dump Source

Source File: 00000009.00000002.2022873809.00000000012BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12ba000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0f9c55da4058b08e1c5a195c3acdf9d24be16afa84ee47837121682b60bc1b75
Instruction ID: bdd742063a65b40ce9a9c14308506061ecedd09e17b34efd95a91dc7a0c28826
Opcode Fuzzy Hash: 0f9c55da4058b08e1c5a195c3acdf9d24be16afa84ee47837121682b60bc1b75
Instruction Fuzzy Hash: CC21B0B56142009FEB21CF29DD85BA6FBE8EF04320F048469EE85CB746D775E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 012BA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7D8F8FA0,00000000,00000000,00000000,00000000), ref: 012BA40C

Memory Dump Source

Source File: 00000009.00000002.2022873809.00000000012BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12ba000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c51fbd2f4e153791f2df91adb3c64e92b9a3a3aac47ed74116a510de5084c8b4
Instruction ID: 7bf4084b5f448a1ccd844643f942216f8d6e4ca0d12980f041c6ffbc09e1b590
Opcode Fuzzy Hash: c51fbd2f4e153791f2df91adb3c64e92b9a3a3aac47ed74116a510de5084c8b4
Instruction Fuzzy Hash: 9321AE71610200AFE721CF15DC84FA6BBECEF04750F08846AEA45DB751D7B4E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 012BA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,7D8F8FA0,00000000,00000000,00000000,00000000), ref: 012BA4F8

Memory Dump Source

Source File: 00000009.00000002.2022873809.00000000012BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12ba000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 89e015a8d3e8c4bb73a2cc52f1d0d258a3b058544c6259715e381f1f41afb80d
Instruction ID: 1015fb3df5644470d9d6f32206143ed38aa9ebd091082b286ca93ed933e33ff6
Opcode Fuzzy Hash: 89e015a8d3e8c4bb73a2cc52f1d0d258a3b058544c6259715e381f1f41afb80d
Instruction Fuzzy Hash: A611AF72510200AFEB218E15DC85FA6BBECEF14710F04845AEE859B756D374E9088A71

Uniqueness

Uniqueness Score: -1.00%

Function 05550080 Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2023322687.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5550000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56871a1dfba28eb66be30d525718ef19880cc0a87af27b673b5eb3e2afffb922
Instruction ID: f87ba0625168bc7897af7453be429955da3ed6af32779d5869ae6b65c863939f
Opcode Fuzzy Hash: 56871a1dfba28eb66be30d525718ef19880cc0a87af27b673b5eb3e2afffb922
Instruction Fuzzy Hash: 6E512E38201242CFD724DB38F58998A77E3FFC52483448979E1058B36AEB7C5D8ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 05550006 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2023322687.0000000005550000.00000040.00000800.00020000.00000000.sdmp, Offset: 05550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5550000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031c41dbe6b9cb954b98105e8df615fb5a90f575847b59181585e5b978536fe5
Instruction ID: d99c27c725e716977511567ee45433307e6708b506f6abc346bda0521de0284b
Opcode Fuzzy Hash: 031c41dbe6b9cb954b98105e8df615fb5a90f575847b59181585e5b978536fe5
Instruction Fuzzy Hash: 03015BA644E7C44FC74382706C759A13F74AE6321470F05C7D880CB1B3E4486A5AE332

Uniqueness

Uniqueness Score: -1.00%

Function 02E01047 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2023122464.0000000002E01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e01000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89793825593981484a33bbe1ccd970ff08f2c7c65193bbdad7aff122749623b
Instruction ID: 36b6a53770633a18ced309100c1bec528c40b024c3149c1a5857106ef4b2667c
Opcode Fuzzy Hash: f89793825593981484a33bbe1ccd970ff08f2c7c65193bbdad7aff122749623b
Instruction Fuzzy Hash: 8001A2B55093805FD7128B16AC40862FFB8DF86230709C5AFEC598B652D229A809CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E0106E Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2023122464.0000000002E01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e01000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f9b0a2aa55ea18d4814e4db91812b6d46634752faf50024f7d1461d73345d9
Instruction ID: f6ca1aa7a252a730c5a117c7d6824352d50cd0843d704d1a1ab64cc973c34078
Opcode Fuzzy Hash: 60f9b0a2aa55ea18d4814e4db91812b6d46634752faf50024f7d1461d73345d9
Instruction Fuzzy Hash: CAE092B66046008F9750CF0AFC41462F7E8EB84630B08C47FDC0D8B701D235B908CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 012B23F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2022860930.00000000012B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12b2000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a30d55328179c2e28dd1c3b8062b0c2ebde62069ccac438ca4f4f03d70fafe0
Instruction ID: e089440eb605787e860fc62c8bde49750c112665b4eb074208aff278dc04806d
Opcode Fuzzy Hash: 9a30d55328179c2e28dd1c3b8062b0c2ebde62069ccac438ca4f4f03d70fafe0
Instruction Fuzzy Hash: C5D0C2392007A18EE3128A0CC194BC53BA4AB41704F0604B998008BB62C728E4C0D500

Uniqueness

Uniqueness Score: -1.00%

Function 012B23BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2022860930.00000000012B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_12b2000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8d9f12387adb49dfa38219707b660c2784e2c3ff941ab6c6b6081102e041b6
Instruction ID: 689d1f234731801455c6800c40af8b06d889c090da40a8e597cb9e60feb74a64
Opcode Fuzzy Hash: 6d8d9f12387adb49dfa38219707b660c2784e2c3ff941ab6c6b6081102e041b6
Instruction Fuzzy Hash: B7D05E342012828BD725DB0CC6D4F993BD4AB45714F0648E8BD108B762C7A4E8C0DA10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Svchost.exePID: 4176, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0191A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0191A6B9

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7e94069fbaf69299849ed58683210d9fc5115c40ccd5f43bc8cc828fb6200cf8
Instruction ID: 049e2325be33fdca8aa13e240a5ebb4ab735fe0461beed342ed98b19d7c86760
Opcode Fuzzy Hash: 7e94069fbaf69299849ed58683210d9fc5115c40ccd5f43bc8cc828fb6200cf8
Instruction Fuzzy Hash: 003191B55093846FE712CB25DC85B96BFF8EF06210F08849AE988CB297D375E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0191A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,2F3A9DA7,00000000,00000000,00000000,00000000), ref: 0191A40C

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9b2c3861ad176a1deb5017a2741ea4586a82ea88f7c65c78ed11e7aa5cf293e1
Instruction ID: 46b5d0462038ff9f4b852f1c2d7e13b98e6067e94de124f9abdc7c3fa5016987
Opcode Fuzzy Hash: 9b2c3861ad176a1deb5017a2741ea4586a82ea88f7c65c78ed11e7aa5cf293e1
Instruction Fuzzy Hash: C631AE71509384AFE722CF15CC84F92BBFCEF06610F08849AE9858B296D364E849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0191A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,2F3A9DA7,00000000,00000000,00000000,00000000), ref: 0191A4F8

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d0443be71b49cd127903c5b3319bcaade143027a44d4389712117bd4b49ee3f3
Instruction ID: e3b3a599d174f2f09f08976fd06b30ce6ce6f2c850c41edb1523c38642deda88
Opcode Fuzzy Hash: d0443be71b49cd127903c5b3319bcaade143027a44d4389712117bd4b49ee3f3
Instruction Fuzzy Hash: 5121A1725093846FE7228B15DC44F67BFBCDF05610F08849AE985DB696C364E848C771

Uniqueness

Uniqueness Score: -1.00%

Function 0191A646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0191A6B9

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21029c6d821ea12f4e0434eaaf1ab58c895ad105878cbae15f9c2341eed1e634
Instruction ID: bcb63691ba52fb3d37d1bb9075984c65ce36f3b6387de9f4d8468e5c10d6d935
Opcode Fuzzy Hash: 21029c6d821ea12f4e0434eaaf1ab58c895ad105878cbae15f9c2341eed1e634
Instruction Fuzzy Hash: FF21B0756012449FEB21CB29CD85BA6FBE8EF04210F048869E989CB749D775E948CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0191A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,2F3A9DA7,00000000,00000000,00000000,00000000), ref: 0191A40C

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f3d9d22bea9431395b05bec359a2802e7fa7d73740a7fb07c4ae6a3daf4a1bc5
Instruction ID: 6797d6fd5b9d63a9da1c3d7baf7d929da52a4863840cd2bfb1e66dd2d07def45
Opcode Fuzzy Hash: f3d9d22bea9431395b05bec359a2802e7fa7d73740a7fb07c4ae6a3daf4a1bc5
Instruction Fuzzy Hash: 1221C071601244AFE721CF19CC84FA6F7ECEF04610F04846AE949DB795D374E849CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0191A710 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0191A780

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0f42e1b29edd045baf148080e2aabe6ae7856807899b5652348f5caa6294d234
Instruction ID: 3efc0506bc72987ab44bfa13830c9292fe0ecfeac65f62c3a864d59f2704fd66
Opcode Fuzzy Hash: 0f42e1b29edd045baf148080e2aabe6ae7856807899b5652348f5caa6294d234
Instruction Fuzzy Hash: 6621A1B19093809FD7128B15DC85752BFB8EF03324F0984DBD9858B6A3D235A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0191A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,2F3A9DA7,00000000,00000000,00000000,00000000), ref: 0191A4F8

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9a1249a31c4cb82821f3bd8cc58fb19e6962dce8297b2554e532a8f9dad6df89
Instruction ID: 21659fac41e4d7998ee1f9a4861a16869b43d897294a978735fa08cc6b65968c
Opcode Fuzzy Hash: 9a1249a31c4cb82821f3bd8cc58fb19e6962dce8297b2554e532a8f9dad6df89
Instruction Fuzzy Hash: 7211B176500244AFE721CE15DC44FA6BBECEF14610F04845AED49DB799D374E848CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0191A74E Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0191A780

Memory Dump Source

Source File: 0000000A.00000002.2104394279.000000000191A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_191a000_Svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: de56bc68ca678ca94b845c7b6aae8d8207189214007d800e2577f3ffbcdb86d3
Instruction ID: 37f726e9c4c809ba7e014c865aecb85da731579092fe5fcc2b1a087b6c32aabb
Opcode Fuzzy Hash: de56bc68ca678ca94b845c7b6aae8d8207189214007d800e2577f3ffbcdb86d3
Instruction Fuzzy Hash: 9E01D4719012448FEB11CF19D984765FBE4DF04220F08C4ABDC4ADF75AD279E948CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 033D0310 Relevance: .2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2104598457.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_33d0000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2dfe6d22491685f549e1f6178dd6169a3d837de658dc142f5d465ba866d9dd
Instruction ID: 5e50f03f0078cd7f2485b6102deb32accefc632ec62feef8650bca0c8c74164d
Opcode Fuzzy Hash: 7f2dfe6d22491685f549e1f6178dd6169a3d837de658dc142f5d465ba866d9dd
Instruction Fuzzy Hash: 9151F231B042118FC728EB79A450A6E77E7EFC9244B144569E40ADB3E4DF3ECD4687A2

Uniqueness

Uniqueness Score: -1.00%

Function 033D0006 Relevance: .2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2104598457.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_33d0000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae976383fa3d43eb1ac2d3248dbbab6d1486d01698919d6520088373af847f7
Instruction ID: 66f00a959767285c245a5c445e6e8fce9aa65ca41bd8760fb4c596d06028219b
Opcode Fuzzy Hash: 6ae976383fa3d43eb1ac2d3248dbbab6d1486d01698919d6520088373af847f7
Instruction Fuzzy Hash: 10715F351092818FC725DF38E954A8D7BB2EFE624830585AAD0448B3A7DB3D5D4BCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033D03BD Relevance: .1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2104598457.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_33d0000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a0fa93b9d4bb5f846925a4ddd7a9b3576a26cedfc8e8d0cf0df09f990f92c3
Instruction ID: 9eac80553ecb16e079ba2458e8c4854e837aca2b142e353dd18bf57bbe0c7755
Opcode Fuzzy Hash: 45a0fa93b9d4bb5f846925a4ddd7a9b3576a26cedfc8e8d0cf0df09f990f92c3
Instruction Fuzzy Hash: 64412331B001158BCB28EB7990146BD72E7AFD5648B144039E40ADF3E8DF3ECD4687A2

Uniqueness

Uniqueness Score: -1.00%

Function 03401001 Relevance: .0, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2104623730.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3401000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c566c6ada1f77487d1ecf1ef890fca9e01820abb8808e5d08138d18d9b7529b4
Instruction ID: 598d6de13c0cb43c235006520cb67741d75927d9bfa33360117195275524b084
Opcode Fuzzy Hash: c566c6ada1f77487d1ecf1ef890fca9e01820abb8808e5d08138d18d9b7529b4
Instruction Fuzzy Hash: E601F2756093C00FC7428B25AC51091BFE0DF43370B5884EFC8888F653C22A990ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 03401048 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2104623730.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3401000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28027ef1f6e87c5ef8e42f979b0657c4b9f878fcb216aeecc923a2ee7b80eb7
Instruction ID: 3e73d792420a02e69a337267b8346d5144182b58f7494be4ee74abf39d9bf1c5
Opcode Fuzzy Hash: d28027ef1f6e87c5ef8e42f979b0657c4b9f878fcb216aeecc923a2ee7b80eb7
Instruction Fuzzy Hash: 5601A7B65493C05FD7128F169C50862BFB8DE86630709C4EFED898F652D235A809CB76

Uniqueness

Uniqueness Score: -1.00%

Function 03401028 Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2104623730.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3401000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072932ff82305231d3884407e73eaed8b609b0ed2df573ee3b0ae018fb40965b
Instruction ID: 898e73ccd6e27ee33374e6628e361e125c81bf81adccd94fdf505c388f39ca8c
Opcode Fuzzy Hash: 072932ff82305231d3884407e73eaed8b609b0ed2df573ee3b0ae018fb40965b
Instruction Fuzzy Hash: 090126B55083806FC7118B16AC40863FFE8EB86270709C4AFEC498B652D235B809CB76

Uniqueness

Uniqueness Score: -1.00%

Function 034010AE Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2104623730.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3401000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c460af02d20d7f776e5855651e10ce107dfcde54e9de33d7a00a2e4048065e
Instruction ID: 1cf37bf3e776ec30802c82d40e991b09ecabf91ccc566f843f340741f969cf67
Opcode Fuzzy Hash: 48c460af02d20d7f776e5855651e10ce107dfcde54e9de33d7a00a2e4048065e
Instruction Fuzzy Hash: 81018F7A5093804FD3118F16EC41892BBE4EB46330B0884BFD849CB653D239A809CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0340106E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2104623730.0000000003401000.00000040.00000020.00020000.00000000.sdmp, Offset: 03401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3401000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ee727de0f1c47459b816005e0b86e258abde7a6e7d144c79cff7c2930891e7
Instruction ID: 5f867ad69e838a81708798ca0fb367cfa1bf05a6cb068b2b7fa9eb78f35ec964
Opcode Fuzzy Hash: d0ee727de0f1c47459b816005e0b86e258abde7a6e7d144c79cff7c2930891e7
Instruction Fuzzy Hash: FFE092B6A006004F9650CF0BEC81462F7D8EB84630B08C47FDC0D8BB01D236B508CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 019123F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2104382102.0000000001912000.00000040.00000800.00020000.00000000.sdmp, Offset: 01912000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1912000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5046e0c2d52255d56f01eb7cd34b49d67a3b83aa449f9e9527c68ff5d94f0e2c
Instruction ID: 02c8facb41a01ea8791f299c897c2be3eab5c16d8bb146f0e432244365989702
Opcode Fuzzy Hash: 5046e0c2d52255d56f01eb7cd34b49d67a3b83aa449f9e9527c68ff5d94f0e2c
Instruction Fuzzy Hash: D1D02B792446D04FE3129B0CC154B853BE86B41B04F0604F99800CB7A7C728E4C0D500

Uniqueness

Uniqueness Score: -1.00%

Function 019123BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2104382102.0000000001912000.00000040.00000800.00020000.00000000.sdmp, Offset: 01912000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1912000_Svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eb1c1ebba9c08112f98437f71eefde1116ec6752c1ed45c4725d512579da9f
Instruction ID: 7f49c3702825c46f9bf3cbe2fe6bc0efabe79f05778fbe5c425a65fe43c17cd0
Opcode Fuzzy Hash: 03eb1c1ebba9c08112f98437f71eefde1116ec6752c1ed45c4725d512579da9f
Instruction Fuzzy Hash: 91D05E342002854FD725EB0CC6D4F993BD8AB45B15F1648E8AC108B766C7A4D8C1EA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b8UsrDOVGV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Svchost.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b8UsrDOVGV.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\68d7771434a71722449c404baa3e5b31.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Svchost.exe

C:\Users\user\AppData\Roaming\Svchost.exe:Zone.Identifier

\Device\ConDrv

Static File Info

General

File Icon

Windows Analysis Report
b8UsrDOVGV.exe

Function 00CBA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 00CBA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Function 00CBA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Function 00CBAA07 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Function 00CBA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Function 00CBA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Function 00CBA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Function 00CBA2D2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 00CBAC24 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 00CBA8A4 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 00CBAA3E Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON