Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1377928
MD5:	0de31e650bcea7c72dd79073999a7dc1
SHA1:	ec128afe544daf0ed9f4325c48772f5f360bcc48
SHA256:	1c0d47e5753714456bce1435810059bee8d3cdf7f579f7d1de39d65ec7452cf0
Tags:	exe
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Drops fake system file at system root drive

System process connects to network (likely due to code injection or exploit)

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates autorun.inf (USB autostart)

Creates autostart registry keys with suspicious names

Drops PE files to the startup folder

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Protects its processes via BreakOnTermination flag

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

1.exe (PID: 7480 cmdline: C:\Users\user\Desktop\1.exe MD5: 0DE31E650BCEA7C72DD79073999A7DC1)

svchost.exe (PID: 7580 cmdline: "C:\ProgramData\svchost.exe" MD5: 0DE31E650BCEA7C72DD79073999A7DC1)

netsh.exe (PID: 7660 cmdline: netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7972 cmdline: "C:\ProgramData\svchost.exe" .. MD5: 0DE31E650BCEA7C72DD79073999A7DC1)

svchost.exe (PID: 8180 cmdline: "C:\ProgramData\svchost.exe" .. MD5: 0DE31E650BCEA7C72DD79073999A7DC1)

svchost.exe (PID: 3548 cmdline: "C:\ProgramData\svchost.exe" .. MD5: 0DE31E650BCEA7C72DD79073999A7DC1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "6.tcp.eu.ngrok.io", "Port": "17387", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "svchost.exe", "Install Dir": "AllUsersProfile"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
1.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
1.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
1.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]
C:\svchost.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\svchost.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
C:\svchost.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
C:\svchost.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]
C:\ProgramData\svchost.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\ProgramData\svchost.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
C:\ProgramData\svchost.exe	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
C:\ProgramData\svchost.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x62c1:$a1: get_Registry 0x7cfa:$a3: Download ERROR 0x7fec:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x7ee2:$a1: netsh firewall add allowedprogram 0x80dc:$b1: [TAP] 0x8082:$b2: & exit 0x804e:$c1: md.exe /k ping 0 & del
Process Memory Space: 1.exe PID: 7480	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.1.exe.680000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.1.exe.680000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x64c1:$a1: get_Registry 0x7efa:$a3: Download ERROR 0x81ec:$a5: netsh firewall delete allowedprogram "
0.0.1.exe.680000.0.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x80e2:$a1: netsh firewall add allowedprogram 0x82dc:$b1: [TAP] 0x8282:$b2: & exit 0x824e:$c1: md.exe /k ping 0 & del
0.0.1.exe.680000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x81ec:$s1: netsh firewall delete allowedprogram 0x80e2:$s2: netsh firewall add allowedprogram 0x824c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67 0x7ed6:$s4: Execute ERROR 0x7f36:$s4: Execute ERROR 0x7efa:$s5: Download ERROR 0x8292:$s6: [kl]

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Drops fake system file at system root drive

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\ProgramData\svchost.exe, ProcessId: 7580, TargetFilename: C:\svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1.exe

Avira: detected

Antivirus detection for URL or domain

Source: 6.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\ProgramData\svchost.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\svchost.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Njrat {"Host": "6.tcp.eu.ngrok.io", "Port": "17387", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "svchost.exe", "Install Dir": "AllUsersProfile"}

Multi AV Scanner detection for domain / URL

Source: 6.tcp.eu.ngrok.io	Virustotal: Detection: 9%			Perma Link
Source: 6.tcp.eu.ngrok.io	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\svchost.exe	Virustotal: Detection: 79%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	Virustotal: Detection: 79%	Perma Link
Source: C:\svchost.exe	Virustotal: Detection: 79%	Perma Link

Yara detected Njrat

Source: Yara match	File source: 1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\svchost.exe	Joe Sandbox ML: detected
Source: C:\svchost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1.exe

Joe Sandbox ML: detected

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Creates autorun.inf (USB autostart)

Source: C:\ProgramData\svchost.exe

File created: C:\autorun.inf

Jump to behavior

Source: 1.exe, 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: 1.exe, 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: 1.exe, 00000000.00000002.1701956198.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: 1.exe, 00000000.00000002.1701956198.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: svchost.exe, 00000001.00000002.4101061596.0000000003B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: svchost.exe, 00000001.00000002.4101061596.0000000003B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: 1.exe	Binary or memory string: autorun.inf
Source: 1.exe	Binary or memory string: [autorun]
Source: autorun.inf.1.dr	Binary or memory string: [autorun]
Source: 134cc1d0196af692d1e58df35504bc9f.exe.1.dr	Binary or memory string: autorun.inf
Source: 134cc1d0196af692d1e58df35504bc9f.exe.1.dr	Binary or memory string: [autorun]
Source: svchost.exe.0.dr	Binary or memory string: autorun.inf
Source: svchost.exe.0.dr	Binary or memory string: [autorun]
Source: svchost.exe.1.dr	Binary or memory string: autorun.inf
Source: svchost.exe.1.dr	Binary or memory string: [autorun]

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\ProgramData\svchost.exe	Network Connect: 3.66.38.117 17387			Jump to behavior
Source: C:\ProgramData\svchost.exe	Network Connect: 52.28.247.255 17387			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 6.tcp.eu.ngrok.io

Source: global traffic	TCP traffic: 192.168.2.4:49729 -> 3.66.38.117:17387
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 52.28.247.255:17387
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 3.69.157.220:17387

Source: Joe Sandbox View	IP Address: 3.66.38.117 3.66.38.117
Source: Joe Sandbox View	IP Address: 52.28.247.255 52.28.247.255

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 6.tcp.eu.ngrok.io

Source: 1.exe, 134cc1d0196af692d1e58df35504bc9f.exe.1.dr, svchost.exe.0.dr, svchost.exe.1.dr

String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: svchost.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 134cc1d0196af692d1e58df35504bc9f.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: svchost.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\ProgramData\svchost.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 1.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 1.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\svchost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\svchost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\ProgramData\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\svchost.exe	Code function: 1_2_0342BEF2 NtSetInformationProcess,	1_2_0342BEF2
Source: C:\ProgramData\svchost.exe	Code function: 1_2_0342BED0 NtSetInformationProcess,	1_2_0342BED0
Source: C:\ProgramData\svchost.exe	Code function: 1_2_061C01C2 NtQuerySystemInformation,	1_2_061C01C2
Source: C:\ProgramData\svchost.exe	Code function: 1_2_061C0187 NtQuerySystemInformation,	1_2_061C0187

Source: 1.exe, 00000000.00000002.1701244477.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs 1.exe

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 1.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 1.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\svchost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\ProgramData\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@9/10@4/3

Source: C:\ProgramData\svchost.exe	Code function: 1_2_0342BBA2 AdjustTokenPrivileges,		1_2_0342BBA2
Source: C:\ProgramData\svchost.exe	Code function: 1_2_0342BB6B AdjustTokenPrivileges,		1_2_0342BB6B

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1.exe.log

Jump to behavior

Source: C:\ProgramData\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\ProgramData\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\134cc1d0196af692d1e58df35504bc9f

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\ProgramData\svchost.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1.exe C:\Users\user\Desktop\1.exe
Source: C:\Users\user\Desktop\1.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe" ..
Source: unknown	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe" ..
Source: unknown	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe" ..
Source: C:\Users\user\Desktop\1.exe	Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE	Jump to behavior

Source: C:\ProgramData\svchost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: 1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: svchost.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 134cc1d0196af692d1e58df35504bc9f.exe.1.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: svchost.exe.1.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\ProgramData\svchost.exe	File created: C:\svchost.exe			Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\svchost.exe			Jump to dropped file

Source: C:\ProgramData\svchost.exe	File created: C:\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\svchost.exe	Jump to dropped file
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	Jump to dropped file

Source: C:\Users\user\Desktop\1.exe

File created: C:\ProgramData\svchost.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\ProgramData\svchost.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f

Jump to behavior

Drops PE files to the startup folder

Source: C:\ProgramData\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe

Jump to dropped file

Source: C:\ProgramData\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe

Jump to behavior

Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe			Jump to behavior
Source: C:\ProgramData\svchost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\ProgramData\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f	Jump to behavior
Source: C:\ProgramData\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f	Jump to behavior
Source: C:\ProgramData\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f	Jump to behavior
Source: C:\ProgramData\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\ProgramData\svchost.exe	Window / User API: threadDelayed 3218	Jump to behavior
Source: C:\ProgramData\svchost.exe	Window / User API: threadDelayed 756	Jump to behavior
Source: C:\ProgramData\svchost.exe	Window / User API: threadDelayed 4465	Jump to behavior
Source: C:\ProgramData\svchost.exe	Window / User API: foregroundWindowGot 402	Jump to behavior
Source: C:\ProgramData\svchost.exe	Window / User API: foregroundWindowGot 1287	Jump to behavior

Source: C:\Users\user\Desktop\1.exe TID: 7504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\svchost.exe TID: 7584	Thread sleep time: -756000s >= -30000s	Jump to behavior
Source: C:\ProgramData\svchost.exe TID: 7584	Thread sleep time: -4465000s >= -30000s	Jump to behavior
Source: C:\ProgramData\svchost.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\svchost.exe TID: 7200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\svchost.exe TID: 5756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: svchost.exe, 00000001.00000002.4100204578.000000000167B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ,s
Source: svchost.exe, 00000001.00000002.4100125063.0000000001670000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: netsh.exe, 00000003.00000003.1766803518.0000000000C01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\ProgramData\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\ProgramData\svchost.exe	Network Connect: 3.66.38.117 17387			Jump to behavior
Source: C:\ProgramData\svchost.exe	Network Connect: 52.28.247.255 17387			Jump to behavior

.NET source code references suspicious native API functions

Source: 1.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 1.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 1.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\1.exe

Process created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"

Jump to behavior

Source: svchost.exe, 00000001.00000002.4101061596.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.l(
Source: svchost.exe, 00000001.00000002.4101061596.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003D78000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000001.00000002.4101061596.0000000003D56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.lL
Source: svchost.exe, 00000001.00000002.4101061596.0000000003B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.ll
Source: svchost.exe, 00000001.00000002.4100204578.000000000167B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rh Program Managerl
Source: svchost.exe, 00000001.00000002.4101061596.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000004065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9l
Source: svchost.exe, 00000001.00000002.4101061596.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.lt
Source: svchost.exe, 00000001.00000002.4101061596.0000000003D5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.l4
Source: svchost.exe, 00000001.00000002.4101061596.0000000003D70000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003D62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.lT
Source: svchost.exe, 00000001.00000002.4101061596.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.l<
Source: svchost.exe, 00000001.00000002.4101061596.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003D4F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: svchost.exe, 00000001.00000002.4101061596.0000000003C7C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003B43000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.4101061596.0000000003E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.l
Source: svchost.exe, 00000001.00000002.4101061596.0000000003B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.ld

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\ProgramData\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\ProgramData\svchost.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\ProgramData\svchost.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
11 Replication Through Removable Media	1 Native API	221 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	1 Input Capture	11 Security Software Discovery	11 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	112 Process Injection	21 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	221 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	112 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.exe	100%	Avira	TR/ATRAPS.Gen
1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	100%	Avira	TR/ATRAPS.Gen
C:\ProgramData\svchost.exe	100%	Avira	TR/ATRAPS.Gen
C:\svchost.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	100%	Joe Sandbox ML
C:\svchost.exe	100%	Joe Sandbox ML
C:\ProgramData\svchost.exe	79%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe	79%	Virustotal		Browse
C:\svchost.exe	79%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
6.tcp.eu.ngrok.io	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
6.tcp.eu.ngrok.io	10%	Virustotal		Browse
6.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	3.66.38.117	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	1.exe, 134cc1d0196af692d1e58df35504bc9f.exe.1.dr, svchost.exe.0.dr, svchost.exe.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.66.38.117	6.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
52.28.247.255	unknown	United States	16509	AMAZON-02US	true
3.69.157.220	unknown	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1377928
Start date and time:	2024-01-20 09:40:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winEXE@9/10@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 179 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:41:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f "C:\ProgramData\svchost.exe" ..
08:41:18	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f "C:\ProgramData\svchost.exe" ..
08:41:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 134cc1d0196af692d1e58df35504bc9f "C:\ProgramData\svchost.exe" ..
08:41:35	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe
09:41:40	API Interceptor	67157x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
3.66.38.117	226dVJ2zRZ.exe	Get hash	malicious	Njrat	Browse
	IsJb5hB84q.exe	Get hash	malicious	Njrat	Browse
	Terraria.exe	Get hash	malicious	Njrat	Browse
	rkIcS0Y2WY.exe	Get hash	malicious	Njrat	Browse
	m5l9v13hIi.exe	Get hash	malicious	Njrat	Browse
	QsKtlzYaKF.exe	Get hash	malicious	Njrat	Browse
	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse
	bRxR.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	X5eo58PPCB.exe	Get hash	malicious	Njrat	Browse
	ZuXcnAYgVp.exe	Get hash	malicious	Njrat	Browse
	8AKGdJOQ8N.exe	Get hash	malicious	Njrat	Browse
	uPMGLG7QnV.exe	Get hash	malicious	Njrat	Browse
	X3vWrCoPG6.exe	Get hash	malicious	Njrat	Browse
	7U23YeVgmF.exe	Get hash	malicious	Njrat	Browse
	KD9rMPUEBM.exe	Get hash	malicious	Njrat	Browse
	8fZNpRy9pN.exe	Get hash	malicious	Njrat	Browse
	2CVeP16GYU.exe	Get hash	malicious	Njrat	Browse
	QuX5A6qz9G.exe	Get hash	malicious	Njrat	Browse
	OperaSetup.exe	Get hash	malicious	Quasar	Browse
	g8XyWsa2b6.exe	Get hash	malicious	Njrat	Browse
52.28.247.255	rkIcS0Y2WY.exe	Get hash	malicious	Njrat	Browse
	N1aqZIb7KG.exe	Get hash	malicious	Njrat	Browse
	QsKtlzYaKF.exe	Get hash	malicious	Njrat	Browse
	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse
	X5eo58PPCB.exe	Get hash	malicious	Njrat	Browse
	ZuXcnAYgVp.exe	Get hash	malicious	Njrat	Browse
	wiUnP1h5Ex.exe	Get hash	malicious	Njrat	Browse
	BqFosj9Wcb.exe	Get hash	malicious	Njrat	Browse
	d09l64ZAW6.exe	Get hash	malicious	Njrat	Browse
	8AKGdJOQ8N.exe	Get hash	malicious	Njrat	Browse
	uPMGLG7QnV.exe	Get hash	malicious	Njrat	Browse
	X3vWrCoPG6.exe	Get hash	malicious	Njrat	Browse
	8fZNpRy9pN.exe	Get hash	malicious	Njrat	Browse
	2CVeP16GYU.exe	Get hash	malicious	Njrat	Browse
	QuX5A6qz9G.exe	Get hash	malicious	Njrat	Browse
	TdxWv8SpDq.exe	Get hash	malicious	Njrat	Browse
	OperaSetup.exe	Get hash	malicious	Quasar	Browse
	HR0Hh3FsOH.exe	Get hash	malicious	njRat	Browse
	r0EX1ZWE8C.exe	Get hash	malicious	Njrat	Browse
	Android_USB_Jailbreaker.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6.tcp.eu.ngrok.io	226dVJ2zRZ.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	IsJb5hB84q.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	Terraria.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	myidJB8lDL.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	rkIcS0Y2WY.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	30b4CoDmKk.exe	Get hash	malicious	Njrat	Browse	18.197.239.109
	N1aqZIb7KG.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	m5l9v13hIi.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	QsKtlzYaKF.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	xZLQ8X9Cxo.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	sCXwkZrcZ3.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	bRxR.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	18.197.239.109
	X5eo58PPCB.exe	Get hash	malicious	Njrat	Browse	3.69.157.220
	ZuXcnAYgVp.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	wiUnP1h5Ex.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	BqFosj9Wcb.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	d09l64ZAW6.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	8AKGdJOQ8N.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	uPMGLG7QnV.exe	Get hash	malicious	Njrat	Browse	3.66.38.117

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	ODDBALL0.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	3.163.101.10
	bTcm.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	https://cbiblec4me.com/svenska-tonaring-januari/?s=Vi&pvhem=7291&fbclid=IwAR0IJuMChf4diWNNNE_TVlaTVIj6q2oYBcrCU2ZjnsisQ53ajsuET3RHXPg	Get hash	malicious	Unknown	Browse	3.20.84.35
	bTbY.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	bTbW.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	VXl6IxOofO.exe	Get hash	malicious	Gurcu Stealer	Browse	3.17.7.232
	n199svrcQC.elf	Get hash	malicious	Mirai	Browse	52.24.250.129
	EpsilonApp.exe	Get hash	malicious	Unknown	Browse	76.223.26.96
	Bdk58TYebF.elf	Get hash	malicious	Mirai	Browse	18.149.215.190
	NrhVe4v2Zt.elf	Get hash	malicious	Mirai	Browse	52.16.208.43
	vveZnyJj0e.elf	Get hash	malicious	Mirai	Browse	54.126.94.64
	2XcXiCaqz1.elf	Get hash	malicious	Mirai	Browse	108.137.250.47
	yUhriZgNi4.elf	Get hash	malicious	Mirai	Browse	13.208.205.148
	7UunqDE3X2.exe	Get hash	malicious	PureLog Stealer	Browse	3.14.182.203
	2zXf0uC9tq.elf	Get hash	malicious	Mirai	Browse	52.196.204.167
	D1E33311A3E42A9C958CED92087534253817C228A36A6.exe	Get hash	malicious	Unknown	Browse	52.217.143.33
	View - (1)Fax.eml	Get hash	malicious	Unknown	Browse	63.33.254.192
	5672D5B80770DEB68BF2435FEF12D521C04CE012250CC.exe	Get hash	malicious	Unknown	Browse	54.231.172.145
	https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-i#cl/9810_md/1110/6902/1803/54/981368	Get hash	malicious	Phisher	Browse	52.85.132.77
	https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-u	Get hash	malicious	Unknown	Browse	54.149.11.4
AMAZON-02US	ODDBALL0.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	3.163.101.10
	bTcm.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	https://cbiblec4me.com/svenska-tonaring-januari/?s=Vi&pvhem=7291&fbclid=IwAR0IJuMChf4diWNNNE_TVlaTVIj6q2oYBcrCU2ZjnsisQ53ajsuET3RHXPg	Get hash	malicious	Unknown	Browse	3.20.84.35
	bTbY.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	bTbW.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	VXl6IxOofO.exe	Get hash	malicious	Gurcu Stealer	Browse	3.17.7.232
	n199svrcQC.elf	Get hash	malicious	Mirai	Browse	52.24.250.129
	EpsilonApp.exe	Get hash	malicious	Unknown	Browse	76.223.26.96
	Bdk58TYebF.elf	Get hash	malicious	Mirai	Browse	18.149.215.190
	NrhVe4v2Zt.elf	Get hash	malicious	Mirai	Browse	52.16.208.43
	vveZnyJj0e.elf	Get hash	malicious	Mirai	Browse	54.126.94.64
	2XcXiCaqz1.elf	Get hash	malicious	Mirai	Browse	108.137.250.47
	yUhriZgNi4.elf	Get hash	malicious	Mirai	Browse	13.208.205.148
	7UunqDE3X2.exe	Get hash	malicious	PureLog Stealer	Browse	3.14.182.203
	2zXf0uC9tq.elf	Get hash	malicious	Mirai	Browse	52.196.204.167
	D1E33311A3E42A9C958CED92087534253817C228A36A6.exe	Get hash	malicious	Unknown	Browse	52.217.143.33
	View - (1)Fax.eml	Get hash	malicious	Unknown	Browse	63.33.254.192
	5672D5B80770DEB68BF2435FEF12D521C04CE012250CC.exe	Get hash	malicious	Unknown	Browse	54.231.172.145
	https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-i#cl/9810_md/1110/6902/1803/54/981368	Get hash	malicious	Phisher	Browse	52.85.132.77
	https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-u	Get hash	malicious	Unknown	Browse	54.149.11.4
AMAZON-02US	ODDBALL0.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	3.163.101.10
	bTcm.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	https://cbiblec4me.com/svenska-tonaring-januari/?s=Vi&pvhem=7291&fbclid=IwAR0IJuMChf4diWNNNE_TVlaTVIj6q2oYBcrCU2ZjnsisQ53ajsuET3RHXPg	Get hash	malicious	Unknown	Browse	3.20.84.35
	bTbY.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	bTbW.exe	Get hash	malicious	Njrat	Browse	54.94.248.37
	VXl6IxOofO.exe	Get hash	malicious	Gurcu Stealer	Browse	3.17.7.232
	n199svrcQC.elf	Get hash	malicious	Mirai	Browse	52.24.250.129
	EpsilonApp.exe	Get hash	malicious	Unknown	Browse	76.223.26.96
	Bdk58TYebF.elf	Get hash	malicious	Mirai	Browse	18.149.215.190
	NrhVe4v2Zt.elf	Get hash	malicious	Mirai	Browse	52.16.208.43
	vveZnyJj0e.elf	Get hash	malicious	Mirai	Browse	54.126.94.64
	2XcXiCaqz1.elf	Get hash	malicious	Mirai	Browse	108.137.250.47
	yUhriZgNi4.elf	Get hash	malicious	Mirai	Browse	13.208.205.148
	7UunqDE3X2.exe	Get hash	malicious	PureLog Stealer	Browse	3.14.182.203
	2zXf0uC9tq.elf	Get hash	malicious	Mirai	Browse	52.196.204.167
	D1E33311A3E42A9C958CED92087534253817C228A36A6.exe	Get hash	malicious	Unknown	Browse	52.217.143.33
	View - (1)Fax.eml	Get hash	malicious	Unknown	Browse	63.33.254.192
	5672D5B80770DEB68BF2435FEF12D521C04CE012250CC.exe	Get hash	malicious	Unknown	Browse	54.231.172.145
	https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-i#cl/9810_md/1110/6902/1803/54/981368	Get hash	malicious	Phisher	Browse	52.85.132.77
	https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-u	Get hash	malicious	Unknown	Browse	54.149.11.4

Process:	C:\Users\user\Desktop\1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.574394315899761
Encrypted:	false
SSDEEP:	384:1W6vEiTb/vpWNcZ0y8fDC7//DwLkyYd/rAF+rMRTyN/0L+EcoinblneHQM3epzX/:w6vTZ38fDC7/sVY1rM+rMRa8Nukh8t
MD5:	0DE31E650BCEA7C72DD79073999A7DC1
SHA1:	EC128AFE544DAF0ED9F4325C48772F5F360BCC48
SHA-256:	1C0D47E5753714456BCE1435810059BEE8D3CDF7F579F7D1DE39D65EC7452CF0
SHA-512:	2B6E295753A339C23683BBD4212B867657AB128B6DEF4F37C8FFCA78A456192CA7E754400ACF36D1E3C0EE1415A9981260D88ED441865F1644CD6E9D8015DFB9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\ProgramData\svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\ProgramData\svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\ProgramData\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 79%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._.e................................. ........@.. ....................................@.................................l...O.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\ProgramData\svchost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1.exe.log

Download File

Process:	C:\Users\user\Desktop\1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.574394315899761
Encrypted:	false
SSDEEP:	384:1W6vEiTb/vpWNcZ0y8fDC7//DwLkyYd/rAF+rMRTyN/0L+EcoinblneHQM3epzX/:w6vTZ38fDC7/sVY1rM+rMRa8Nukh8t
MD5:	0DE31E650BCEA7C72DD79073999A7DC1
SHA1:	EC128AFE544DAF0ED9F4325C48772F5F360BCC48
SHA-256:	1C0D47E5753714456BCE1435810059BEE8D3CDF7F579F7D1DE39D65EC7452CF0
SHA-512:	2B6E295753A339C23683BBD4212B867657AB128B6DEF4F37C8FFCA78A456192CA7E754400ACF36D1E3C0EE1415A9981260D88ED441865F1644CD6E9D8015DFB9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 79%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._.e................................. ........@.. ....................................@.................................l...O.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe:Zone.Identifier

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\autorun.inf

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	Microsoft Windows Autorun file
Category:	modified
Size (bytes):	50
Entropy (8bit):	4.320240000427043
Encrypted:	false
SSDEEP:	3:It1KV2LKMACovK0x:e1KzxvD
MD5:	5B0B50BADE67C5EC92D42E971287A5D9
SHA1:	90D5C99143E7A56AD6E5EE401015F8ECC093D95A
SHA-256:	04DDE2489D2D2E6846D42250D813AB90B5CA847D527F8F2C022E6C327DC6DB53
SHA-512:	C064DC3C4185A38D1CAEBD069ACB9FDBB85DFB650D6A241036E501A09BC89FD06E267BE9D400D20E6C14B4068473D1C6557962E8D82FDFD191DB7EABB6E66821
Malicious:	true
Preview:	[autorun]..open=C:\svchost.exe..shellexecute=C:\..

C:\svchost.exe

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.574394315899761
Encrypted:	false
SSDEEP:	384:1W6vEiTb/vpWNcZ0y8fDC7//DwLkyYd/rAF+rMRTyN/0L+EcoinblneHQM3epzX/:w6vTZ38fDC7/sVY1rM+rMRa8Nukh8t
MD5:	0DE31E650BCEA7C72DD79073999A7DC1
SHA1:	EC128AFE544DAF0ED9F4325C48772F5F360BCC48
SHA-256:	1C0D47E5753714456BCE1435810059BEE8D3CDF7F579F7D1DE39D65EC7452CF0
SHA-512:	2B6E295753A339C23683BBD4212B867657AB128B6DEF4F37C8FFCA78A456192CA7E754400ACF36D1E3C0EE1415A9981260D88ED441865F1644CD6E9D8015DFB9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 79%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._.e................................. ........@.. ....................................@.................................l...O.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\svchost.exe:Zone.Identifier

Download File

Process:	C:\ProgramData\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.574394315899761
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	1.exe
File size:	37'888 bytes
MD5:	0de31e650bcea7c72dd79073999a7dc1
SHA1:	ec128afe544daf0ed9f4325c48772f5f360bcc48
SHA256:	1c0d47e5753714456bce1435810059bee8d3cdf7f579f7d1de39d65ec7452cf0
SHA512:	2b6e295753a339c23683bbd4212b867657ab128b6def4f37c8ffca78a456192ca7e754400acf36d1e3c0ee1415a9981260d88ed441865f1644cd6e9d8015dfb9
SSDEEP:	384:1W6vEiTb/vpWNcZ0y8fDC7//DwLkyYd/rAF+rMRTyN/0L+EcoinblneHQM3epzX/:w6vTZ38fDC7/sVY1rM+rMRa8Nukh8t
TLSH:	ED033A4D7FE18168C5FD067B05B2D412077BE04B6E23D90E8EF264AA37636C18B50AF2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._.e................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40abbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65AB5FC7 [Sat Jan 20 05:53:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab6c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bc4	0x8c00	False	0.4636439732142857	data	5.605891842367962	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x240	0x400	False	0.3134765625	data	4.968771659524424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2024 09:41:11.712822914 CET	49729	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:11.915596008 CET	17387	49729	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:12.424320936 CET	49729	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:12.627223969 CET	17387	49729	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:13.127494097 CET	49729	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:13.330347061 CET	17387	49729	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:13.834378004 CET	49729	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:14.037357092 CET	17387	49729	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:14.549057007 CET	49729	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:14.751702070 CET	17387	49729	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:16.770979881 CET	49736	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:16.976404905 CET	17387	49736	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:17.486641884 CET	49736	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:17.691643000 CET	17387	49736	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:18.205421925 CET	49736	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:18.410609007 CET	17387	49736	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:18.924032927 CET	49736	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:19.128968954 CET	17387	49736	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:19.642810106 CET	49736	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:19.849062920 CET	17387	49736	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:21.863398075 CET	49737	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:22.068361044 CET	17387	49737	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:22.580513954 CET	49737	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:22.786015987 CET	17387	49737	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:23.299151897 CET	49737	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:23.504059076 CET	17387	49737	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:24.017998934 CET	49737	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:24.222985983 CET	17387	49737	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:24.736558914 CET	49737	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:24.941884041 CET	17387	49737	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:27.050839901 CET	49738	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:27.252768993 CET	17387	49738	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:27.767905951 CET	49738	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:27.970029116 CET	17387	49738	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:28.471054077 CET	49738	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:28.673047066 CET	17387	49738	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:29.174330950 CET	49738	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:29.376384020 CET	17387	49738	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:29.877262115 CET	49738	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:30.079513073 CET	17387	49738	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:32.082487106 CET	49739	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:32.283849955 CET	17387	49739	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:32.799088001 CET	49739	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:33.000164032 CET	17387	49739	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:33.502227068 CET	49739	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:33.703367949 CET	17387	49739	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:34.205257893 CET	49739	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:34.406229973 CET	17387	49739	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:34.908370018 CET	49739	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:35.109736919 CET	17387	49739	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:37.112896919 CET	49740	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:37.314481974 CET	17387	49740	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:37.830219030 CET	49740	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:38.031657934 CET	17387	49740	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:38.533330917 CET	49740	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:38.734723091 CET	17387	49740	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:39.252080917 CET	49740	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:39.453576088 CET	17387	49740	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:39.955228090 CET	49740	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:40.156522036 CET	17387	49740	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:42.160154104 CET	49741	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:42.362605095 CET	17387	49741	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:42.877306938 CET	49741	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:43.080209970 CET	17387	49741	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:43.580411911 CET	49741	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:43.783242941 CET	17387	49741	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:44.283412933 CET	49741	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:44.486099958 CET	17387	49741	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:44.986759901 CET	49741	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:45.189344883 CET	17387	49741	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:48.332163095 CET	49742	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:48.532831907 CET	17387	49742	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:49.036346912 CET	49742	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:49.237174034 CET	17387	49742	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:49.752166986 CET	49742	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:49.953001022 CET	17387	49742	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:50.455251932 CET	49742	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:50.656164885 CET	17387	49742	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:51.158301115 CET	49742	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:51.359184980 CET	17387	49742	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:53.363338947 CET	49744	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:53.565553904 CET	17387	49744	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:54.080372095 CET	49744	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:54.282128096 CET	17387	49744	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:54.783376932 CET	49744	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:54.985537052 CET	17387	49744	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:55.486478090 CET	49744	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:55.688302994 CET	17387	49744	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:56.189651966 CET	49744	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:56.391432047 CET	17387	49744	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:58.394903898 CET	49745	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:58.598195076 CET	17387	49745	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:59.111443043 CET	49745	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:41:59.317725897 CET	17387	49745	3.66.38.117	192.168.2.4
Jan 20, 2024 09:41:59.830178976 CET	49745	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:00.033164024 CET	17387	49745	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:00.533267021 CET	49745	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:00.736185074 CET	17387	49745	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:01.252094984 CET	49745	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:01.455178022 CET	17387	49745	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:03.684804916 CET	49746	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:03.887736082 CET	17387	49746	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:04.392615080 CET	49746	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:04.595284939 CET	17387	49746	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:05.111394882 CET	49746	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:05.313913107 CET	17387	49746	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:05.814503908 CET	49746	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:06.017216921 CET	17387	49746	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:06.517810106 CET	49746	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:06.720513105 CET	17387	49746	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:08.740482092 CET	49747	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:08.942466974 CET	17387	49747	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:09.455121994 CET	49747	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:09.659456015 CET	17387	49747	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:10.173928022 CET	49747	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:10.375895977 CET	17387	49747	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:10.877151966 CET	49747	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:11.079377890 CET	17387	49747	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:11.580329895 CET	49747	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:42:11.782465935 CET	17387	49747	3.66.38.117	192.168.2.4
Jan 20, 2024 09:42:13.909955025 CET	49748	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:14.111680031 CET	17387	49748	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:14.627088070 CET	49748	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:14.828419924 CET	17387	49748	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:15.330092907 CET	49748	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:15.531686068 CET	17387	49748	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:16.033309937 CET	49748	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:16.234769106 CET	17387	49748	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:16.736433029 CET	49748	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:16.938069105 CET	17387	49748	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:18.942706108 CET	49749	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:19.142683983 CET	17387	49749	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:19.658184052 CET	49749	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:19.858252048 CET	17387	49749	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:20.366559982 CET	49749	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:20.566680908 CET	17387	49749	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:21.080040932 CET	49749	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:21.280054092 CET	17387	49749	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:21.892571926 CET	49749	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:22.092673063 CET	17387	49749	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:24.098567963 CET	49750	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:24.298947096 CET	17387	49750	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:24.895518064 CET	49750	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:25.095995903 CET	17387	49750	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:25.689419031 CET	49750	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:25.890708923 CET	17387	49750	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:26.392560959 CET	49750	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:26.592905045 CET	17387	49750	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:27.095676899 CET	49750	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:27.295939922 CET	17387	49750	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:29.300738096 CET	49751	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:29.502739906 CET	17387	49751	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:30.017656088 CET	49751	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:30.219652891 CET	17387	49751	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:30.720665932 CET	49751	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:30.922718048 CET	17387	49751	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:31.424012899 CET	49751	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:31.626112938 CET	17387	49751	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:32.127130032 CET	49751	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:32.329087019 CET	17387	49751	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:34.332341909 CET	49752	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:34.533792019 CET	17387	49752	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:35.080142975 CET	49752	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:35.281635046 CET	17387	49752	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:35.892528057 CET	49752	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:36.093977928 CET	17387	49752	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:36.595658064 CET	49752	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:36.797179937 CET	17387	49752	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:37.392512083 CET	49752	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:37.594363928 CET	17387	49752	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:40.738593102 CET	49753	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:40.941148996 CET	17387	49753	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:41.517721891 CET	49753	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:41.720206976 CET	17387	49753	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:42.314372063 CET	49753	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:42.516952991 CET	17387	49753	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:43.017477036 CET	49753	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:43.220329046 CET	17387	49753	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:43.814456940 CET	49753	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:44.017178059 CET	17387	49753	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:45.772676945 CET	49754	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:45.974843979 CET	17387	49754	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:46.486217022 CET	49754	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:46.688153982 CET	17387	49754	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:47.189331055 CET	49754	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:47.391483068 CET	17387	49754	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:47.892462015 CET	49754	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:48.094822884 CET	17387	49754	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:48.595588923 CET	49754	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:48.797736883 CET	17387	49754	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:50.442320108 CET	49755	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:50.644423008 CET	17387	49755	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:51.158080101 CET	49755	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:51.360260010 CET	17387	49755	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:51.861361980 CET	49755	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:52.063479900 CET	17387	49755	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:52.564507961 CET	49755	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:52.766633987 CET	17387	49755	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:53.267657042 CET	49755	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:53.470069885 CET	17387	49755	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:55.006591082 CET	49756	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:55.209012985 CET	17387	49756	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:55.720901012 CET	49756	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:55.923330069 CET	17387	49756	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:56.517560959 CET	49756	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:56.719949007 CET	17387	49756	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:57.220727921 CET	49756	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:57.422817945 CET	17387	49756	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:57.923854113 CET	49756	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:58.126861095 CET	17387	49756	52.28.247.255	192.168.2.4
Jan 20, 2024 09:42:59.550348997 CET	49757	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:42:59.752300978 CET	17387	49757	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:00.267441988 CET	49757	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:00.469166994 CET	17387	49757	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:00.970668077 CET	49757	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:01.172367096 CET	17387	49757	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:01.673695087 CET	49757	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:01.875493050 CET	17387	49757	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:02.376801968 CET	49757	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:02.580440044 CET	17387	49757	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:03.910856962 CET	49758	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:04.114578009 CET	17387	49758	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:04.626806021 CET	49758	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:04.830526114 CET	17387	49758	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:05.345532894 CET	49758	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:05.549376965 CET	17387	49758	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:06.064261913 CET	49758	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:06.267836094 CET	17387	49758	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:06.783040047 CET	49758	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:06.987273932 CET	17387	49758	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:08.241580963 CET	49759	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:08.445373058 CET	17387	49759	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:08.954988003 CET	49759	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:09.158669949 CET	17387	49759	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:09.673780918 CET	49759	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:09.877614975 CET	17387	49759	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:10.392388105 CET	49759	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:10.596318007 CET	17387	49759	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:11.111318111 CET	49759	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:11.315485001 CET	17387	49759	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:12.471856117 CET	49760	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:12.676924944 CET	17387	49760	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:13.189378977 CET	49760	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:13.394315004 CET	17387	49760	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:13.907990932 CET	49760	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:14.112977028 CET	17387	49760	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:14.626940012 CET	49760	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:14.831836939 CET	17387	49760	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:15.345530987 CET	49760	17387	192.168.2.4	52.28.247.255
Jan 20, 2024 09:43:15.550561905 CET	17387	49760	52.28.247.255	192.168.2.4
Jan 20, 2024 09:43:16.751164913 CET	49761	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:16.952608109 CET	17387	49761	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:17.454989910 CET	49761	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:17.655560017 CET	17387	49761	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:18.158000946 CET	49761	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:18.358114958 CET	17387	49761	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:18.861231089 CET	49761	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:19.061671019 CET	17387	49761	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:19.564243078 CET	49761	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:19.764523983 CET	17387	49761	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:20.784641981 CET	49762	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:20.987299919 CET	17387	49762	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:21.501744986 CET	49762	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:21.704408884 CET	17387	49762	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:22.205013037 CET	49762	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:22.407737017 CET	17387	49762	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:22.908097029 CET	49762	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:23.110822916 CET	17387	49762	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:23.611242056 CET	49762	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:23.814141035 CET	17387	49762	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:24.753384113 CET	49763	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:24.957695007 CET	17387	49763	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:25.470509052 CET	49763	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:25.674915075 CET	17387	49763	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:26.189218044 CET	49763	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:26.393640041 CET	17387	49763	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:26.907980919 CET	49763	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:27.112152100 CET	17387	49763	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:27.626735926 CET	49763	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:27.830682993 CET	17387	49763	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:28.724868059 CET	49764	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:28.928689003 CET	17387	49764	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:29.439292908 CET	49764	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:29.643161058 CET	17387	49764	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:30.158094883 CET	49764	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:30.361573935 CET	17387	49764	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:30.876699924 CET	49764	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:31.080394983 CET	17387	49764	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:31.595468044 CET	49764	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:31.799479008 CET	17387	49764	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:32.628735065 CET	49765	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:32.832262039 CET	17387	49765	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:33.345613956 CET	49765	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:33.549182892 CET	17387	49765	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:34.064306974 CET	49765	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:34.267715931 CET	17387	49765	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:34.782967091 CET	49765	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:34.986388922 CET	17387	49765	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:35.501952887 CET	49765	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:35.705705881 CET	17387	49765	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:36.472922087 CET	49766	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:36.673332930 CET	17387	49766	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:37.189260960 CET	49766	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:37.390182018 CET	17387	49766	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:37.892450094 CET	49766	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:38.092808962 CET	17387	49766	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:38.595525026 CET	49766	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:38.796003103 CET	17387	49766	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:39.298648119 CET	49766	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:39.499110937 CET	17387	49766	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:40.222223043 CET	49767	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:40.425297022 CET	17387	49767	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:40.939182997 CET	49767	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:41.141282082 CET	17387	49767	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:41.642565966 CET	49767	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:41.845123053 CET	17387	49767	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:42.345417023 CET	49767	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:42.547763109 CET	17387	49767	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:43.048830032 CET	49767	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:43.251351118 CET	17387	49767	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:43.927217960 CET	49768	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:44.131257057 CET	17387	49768	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:44.642301083 CET	49768	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:44.845941067 CET	17387	49768	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:45.361114979 CET	49768	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:45.564698935 CET	17387	49768	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:46.079879045 CET	49768	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:46.283467054 CET	17387	49768	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:46.798639059 CET	49768	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:47.002389908 CET	17387	49768	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:47.629395962 CET	49769	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:47.831688881 CET	17387	49769	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:48.345618010 CET	49769	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:48.547888041 CET	17387	49769	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:49.048755884 CET	49769	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:49.251250982 CET	17387	49769	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:49.751749992 CET	49769	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:49.955554008 CET	17387	49769	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:50.470558882 CET	49769	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:50.673055887 CET	17387	49769	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:51.254292965 CET	49770	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:51.455020905 CET	17387	49770	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:51.970520020 CET	49770	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:52.170619011 CET	17387	49770	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:52.673531055 CET	49770	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:52.873877048 CET	17387	49770	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:53.376652956 CET	49770	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:53.577233076 CET	17387	49770	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:54.079875946 CET	49770	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:54.280071974 CET	17387	49770	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:54.832355976 CET	49771	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:55.036303997 CET	17387	49771	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:55.548552990 CET	49771	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:55.752510071 CET	17387	49771	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:56.267339945 CET	49771	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:56.471343994 CET	17387	49771	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:56.986124039 CET	49771	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:57.190490961 CET	17387	49771	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:57.704812050 CET	49771	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:57.908915997 CET	17387	49771	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:58.668939114 CET	49772	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:58.872946978 CET	17387	49772	3.69.157.220	192.168.2.4
Jan 20, 2024 09:43:59.376621008 CET	49772	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:43:59.580449104 CET	17387	49772	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:00.283040047 CET	49772	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:00.487010956 CET	17387	49772	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:01.079838991 CET	49772	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:01.284128904 CET	17387	49772	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:01.915122986 CET	49772	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:02.118837118 CET	17387	49772	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:02.596961021 CET	49773	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:02.798979998 CET	17387	49773	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:03.314233065 CET	49773	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:03.516113997 CET	17387	49773	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:04.017364025 CET	49773	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:04.219769955 CET	17387	49773	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:04.720376968 CET	49773	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:04.922791004 CET	17387	49773	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:05.423629045 CET	49773	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:05.625566006 CET	17387	49773	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:06.081537962 CET	49774	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:06.285464048 CET	17387	49774	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:06.798568010 CET	49774	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:07.002304077 CET	17387	49774	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:07.517467976 CET	49774	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:07.721292973 CET	17387	49774	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:08.235949993 CET	49774	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:08.439965010 CET	17387	49774	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:08.954720974 CET	49774	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:09.158763885 CET	17387	49774	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:09.580920935 CET	49775	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:09.782244921 CET	17387	49775	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:10.282860041 CET	49775	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:10.484473944 CET	17387	49775	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:10.985950947 CET	49775	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:11.187494993 CET	17387	49775	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:11.689069986 CET	49775	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:11.890635014 CET	17387	49775	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:12.392189980 CET	49775	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:12.593883991 CET	17387	49775	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:12.987263918 CET	49776	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:13.189534903 CET	17387	49776	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:13.689640045 CET	49776	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:13.891593933 CET	17387	49776	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:14.392208099 CET	49776	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:14.594176054 CET	17387	49776	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:15.095340014 CET	49776	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:15.297683001 CET	17387	49776	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:15.798540115 CET	49776	17387	192.168.2.4	3.69.157.220
Jan 20, 2024 09:44:16.000572920 CET	17387	49776	3.69.157.220	192.168.2.4
Jan 20, 2024 09:44:16.485835075 CET	49777	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:16.688868999 CET	17387	49777	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:17.204689026 CET	49777	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:17.407442093 CET	17387	49777	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:17.923635960 CET	49777	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:18.126425982 CET	17387	49777	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:18.626580000 CET	49777	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:18.829551935 CET	17387	49777	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:19.329863071 CET	49777	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:19.532891035 CET	17387	49777	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:19.881983995 CET	49778	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:20.082356930 CET	17387	49778	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:20.595415115 CET	49778	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:20.795949936 CET	17387	49778	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:21.298554897 CET	49778	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:21.498984098 CET	17387	49778	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:22.001743078 CET	49778	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:22.202167988 CET	17387	49778	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:22.704720974 CET	49778	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:22.905137062 CET	17387	49778	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:23.221935034 CET	49779	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:23.424501896 CET	17387	49779	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:23.939085960 CET	49779	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:24.141297102 CET	17387	49779	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:24.642244101 CET	49779	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:24.844896078 CET	17387	49779	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:25.345359087 CET	49779	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:25.547791958 CET	17387	49779	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:26.048420906 CET	49779	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:26.250541925 CET	17387	49779	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:26.550436020 CET	49780	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:26.753328085 CET	17387	49780	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:27.267160892 CET	49780	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:27.469779968 CET	17387	49780	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:27.970288038 CET	49780	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:28.172929049 CET	17387	49780	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:28.673557043 CET	49780	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:28.876292944 CET	17387	49780	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:29.392236948 CET	49780	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:29.595045090 CET	17387	49780	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:29.878786087 CET	49781	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:30.078660011 CET	17387	49781	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:30.579674006 CET	49781	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:30.779625893 CET	17387	49781	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:31.407804966 CET	49781	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:31.607754946 CET	17387	49781	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:32.220303059 CET	49781	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:32.420172930 CET	17387	49781	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:33.017270088 CET	49781	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:33.217226982 CET	17387	49781	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:33.472126007 CET	49782	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:33.672651052 CET	17387	49782	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:34.220268011 CET	49782	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:34.420603991 CET	17387	49782	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:35.017167091 CET	49782	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:35.217677116 CET	17387	49782	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:35.720263004 CET	49782	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:35.923007965 CET	17387	49782	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:36.517180920 CET	49782	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:36.717418909 CET	17387	49782	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:36.962258101 CET	49783	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:37.166451931 CET	17387	49783	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:37.673435926 CET	49783	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:37.877624989 CET	17387	49783	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:38.392875910 CET	49783	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:38.597028017 CET	17387	49783	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:39.110893011 CET	49783	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:39.315748930 CET	17387	49783	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:39.829629898 CET	49783	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:40.033857107 CET	17387	49783	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:40.268909931 CET	49784	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:40.470607042 CET	17387	49784	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:40.971462965 CET	49784	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:41.172988892 CET	17387	49784	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:41.689007044 CET	49784	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:41.890573978 CET	17387	49784	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:42.392119884 CET	49784	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:42.593415022 CET	17387	49784	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:43.095243931 CET	49784	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:43.296634912 CET	17387	49784	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:43.519356966 CET	49785	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:43.720329046 CET	17387	49785	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:44.220256090 CET	49785	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:44.421288967 CET	17387	49785	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:44.923588037 CET	49785	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:45.124808073 CET	17387	49785	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:45.626547098 CET	49785	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:45.827615976 CET	17387	49785	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:46.345215082 CET	49785	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:46.546237946 CET	17387	49785	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:47.052879095 CET	49786	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:47.254530907 CET	17387	49786	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:47.767122984 CET	49786	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:47.968853951 CET	17387	49786	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:48.470285892 CET	49786	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:48.672122002 CET	17387	49786	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:49.173388004 CET	49786	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:49.375302076 CET	17387	49786	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:49.876676083 CET	49786	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:50.078453064 CET	17387	49786	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:50.270226955 CET	49787	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:50.472978115 CET	17387	49787	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:50.986011028 CET	49787	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:51.188870907 CET	17387	49787	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:51.704674006 CET	49787	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:51.907336950 CET	17387	49787	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:52.407718897 CET	49787	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:52.610443115 CET	17387	49787	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:53.110857010 CET	49787	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:53.313384056 CET	17387	49787	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:53.498095989 CET	49788	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:53.699814081 CET	17387	49788	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:54.204582930 CET	49788	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:54.406153917 CET	17387	49788	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:54.907711029 CET	49788	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:55.109282017 CET	17387	49788	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:55.610872030 CET	49788	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:55.812469959 CET	17387	49788	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:56.313990116 CET	49788	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:56.515527010 CET	17387	49788	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:56.675440073 CET	49789	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:56.876529932 CET	17387	49789	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:57.376470089 CET	49789	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:57.577590942 CET	17387	49789	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:58.079575062 CET	49789	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:58.280482054 CET	17387	49789	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:58.782682896 CET	49789	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:58.983817101 CET	17387	49789	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:59.485831976 CET	49789	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:44:59.687067032 CET	17387	49789	3.66.38.117	192.168.2.4
Jan 20, 2024 09:44:59.846929073 CET	49790	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:45:00.048918009 CET	17387	49790	3.66.38.117	192.168.2.4
Jan 20, 2024 09:45:00.720195055 CET	49790	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:45:00.922353029 CET	17387	49790	3.66.38.117	192.168.2.4
Jan 20, 2024 09:45:01.517081022 CET	49790	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:45:01.719330072 CET	17387	49790	3.66.38.117	192.168.2.4
Jan 20, 2024 09:45:02.220192909 CET	49790	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:45:02.422441959 CET	17387	49790	3.66.38.117	192.168.2.4
Jan 20, 2024 09:45:03.017060041 CET	49790	17387	192.168.2.4	3.66.38.117
Jan 20, 2024 09:45:03.219079971 CET	17387	49790	3.66.38.117	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2024 09:41:11.230612040 CET	61653	53	192.168.2.4	1.1.1.1
Jan 20, 2024 09:41:11.351042032 CET	53	61653	1.1.1.1	192.168.2.4
Jan 20, 2024 09:42:13.786719084 CET	63831	53	192.168.2.4	1.1.1.1
Jan 20, 2024 09:42:13.908655882 CET	53	63831	1.1.1.1	192.168.2.4
Jan 20, 2024 09:43:16.628700972 CET	50480	53	192.168.2.4	1.1.1.1
Jan 20, 2024 09:43:16.749082088 CET	53	50480	1.1.1.1	192.168.2.4
Jan 20, 2024 09:44:16.362341881 CET	59254	53	192.168.2.4	1.1.1.1
Jan 20, 2024 09:44:16.482773066 CET	53	59254	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 20, 2024 09:41:11.230612040 CET	192.168.2.4	1.1.1.1	0x4fc2	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 20, 2024 09:42:13.786719084 CET	192.168.2.4	1.1.1.1	0x631d	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 20, 2024 09:43:16.628700972 CET	192.168.2.4	1.1.1.1	0xcb84	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 20, 2024 09:44:16.362341881 CET	192.168.2.4	1.1.1.1	0xc05	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 20, 2024 09:41:11.351042032 CET	1.1.1.1	192.168.2.4	0x4fc2	No error (0)	6.tcp.eu.ngrok.io	3.66.38.117	A (IP address)	IN (0x0001)	false
Jan 20, 2024 09:42:13.908655882 CET	1.1.1.1	192.168.2.4	0x631d	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jan 20, 2024 09:43:16.749082088 CET	1.1.1.1	192.168.2.4	0xcb84	No error (0)	6.tcp.eu.ngrok.io	3.69.157.220	A (IP address)	IN (0x0001)	false
Jan 20, 2024 09:44:16.482773066 CET	1.1.1.1	192.168.2.4	0xc05	No error (0)	6.tcp.eu.ngrok.io	3.66.38.117	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:40:54
Start date:	20/01/2024
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1.exe
Imagebase:	0x680000
File size:	37'888 bytes
MD5 hash:	0DE31E650BCEA7C72DD79073999A7DC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1633586364.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:41:00
Start date:	20/01/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe"
Imagebase:	0xe70000
File size:	37'888 bytes
MD5 hash:	0DE31E650BCEA7C72DD79073999A7DC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\ProgramData\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\ProgramData\svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\ProgramData\svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\ProgramData\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:41:06
Start date:	20/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:41:06
Start date:	20/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:41:18
Start date:	20/01/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe" ..
Imagebase:	0x660000
File size:	37'888 bytes
MD5 hash:	0DE31E650BCEA7C72DD79073999A7DC1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:41:27
Start date:	20/01/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe" ..
Imagebase:	0x5d0000
File size:	37'888 bytes
MD5 hash:	0DE31E650BCEA7C72DD79073999A7DC1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:41:35
Start date:	20/01/2024
Path:	C:\ProgramData\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\svchost.exe" ..
Imagebase:	0x530000
File size:	37'888 bytes
MD5 hash:	0DE31E650BCEA7C72DD79073999A7DC1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	37
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 04F80310 Relevance: 3.9, Strings: 3, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 04F804E9
2l, xrefs: 04F80554
2l, xrefs: 04F8048B

Memory Dump Source

Source File: 00000000.00000002.1702101475.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f80000_1.jbxd

Similarity

API ID:
String ID: 2l$2l$2l
API String ID: 0-1498361692
Opcode ID: 2a2242f2df27336fc11723f1a1dfe8f642644939d582cbb59183ee7a5a89da2f
Instruction ID: 499cf393f1d191a3e7901f723b68007c0d4336d58d5b25a0d4aa98a5f0947a83
Opcode Fuzzy Hash: 2a2242f2df27336fc11723f1a1dfe8f642644939d582cbb59183ee7a5a89da2f
Instruction Fuzzy Hash: D65125327202128FD718AB79C4517BE37E6AF85304B55446EE006DF39ADF39DC0A97A2

Uniqueness

Uniqueness Score: -1.00%

Function 04F803BD Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 04F804E9
2l, xrefs: 04F80554
2l, xrefs: 04F8048B

Memory Dump Source

Source File: 00000000.00000002.1702101475.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f80000_1.jbxd

Similarity

API ID:
String ID: 2l$2l$2l
API String ID: 0-1498361692
Opcode ID: b6beb7efc820bce89d11c704f0c696331b6fc8079f07d123fc3664535220264b
Instruction ID: 37b24e91dd45e8a7328ed7db9ac6789bfbe1d464155c4ec5edd573ee8bc9565b
Opcode Fuzzy Hash: b6beb7efc820bce89d11c704f0c696331b6fc8079f07d123fc3664535220264b
Instruction Fuzzy Hash: FD4103327101128FDB18BB7980657BD32D3AFD5208754406EE006DF796DF29DC0A97A3

Uniqueness

Uniqueness Score: -1.00%

Function 04F80958 Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ol, xrefs: 04F80EB9
:@k, xrefs: 04F80B23

Memory Dump Source

Source File: 00000000.00000002.1702101475.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f80000_1.jbxd

Similarity

API ID:
String ID: :@k$\Ol
API String ID: 0-2913639173
Opcode ID: 81d99713c3de1e735e7e3e31ef9cb0a0fcaffa68ec2f107dffb4125b3a08077f
Instruction ID: fccdcd75e3fb0a51c44a0eb1f1bf87e66ed7864511855d923623fdd32a3bd771
Opcode Fuzzy Hash: 81d99713c3de1e735e7e3e31ef9cb0a0fcaffa68ec2f107dffb4125b3a08077f
Instruction Fuzzy Hash: 12027032720212CFDB18EB74D4517AE73E2AF88308B154479D406DB7AADF39AC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CCA6B9

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1eb2103ec6cd452b8951803924f61812f66be4e716daf0b9d340464e73d7d3b2
Instruction ID: 9c51d217e8cd797e1b6b19f2483dc2029bf2d43539f0af53ea559fd735079f3d
Opcode Fuzzy Hash: 1eb2103ec6cd452b8951803924f61812f66be4e716daf0b9d340464e73d7d3b2
Instruction Fuzzy Hash: 853170715093846FE711CB65CC85B96BFF8EF06314F08849AE984CF292D375A909C762

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,786378CC,00000000,00000000,00000000,00000000), ref: 00CCA40C

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 589e45c4d1d8765f15b925f3ce2fc7ca6739e3e61d04853c7370be55f204db0b
Instruction ID: 917833b9fbe729d34825b32aa1d07db42812076cde8e951d0ad69b56105f8bc1
Opcode Fuzzy Hash: 589e45c4d1d8765f15b925f3ce2fc7ca6739e3e61d04853c7370be55f204db0b
Instruction Fuzzy Hash: B631C375505784AFE722CF15CC84F92BBF8EF06314F08849AE985CB292D324E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,786378CC,00000000,00000000,00000000,00000000), ref: 00CCA4F8

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e748aa9b8d09b1ab7d548f7ce02cabf9029c5f58c38e6e98bee3ecee4fa95238
Instruction ID: c935e5d4bf6240977698965668177af342d90c5bd17e37eab0b79e4ca640d327
Opcode Fuzzy Hash: e748aa9b8d09b1ab7d548f7ce02cabf9029c5f58c38e6e98bee3ecee4fa95238
Instruction Fuzzy Hash: B721AE725047846FD7228B11DC44FA7BFB8EF46214F08859AE985CB692C364E948C772

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CCA6B9

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0101d6531354824694e6a4c2353870c436a31327e899a350c383271ac8a52be0
Instruction ID: 42bbe4ad51df30a7892f4923edfd9423b575c5c1bba723df55531abba7e6086c
Opcode Fuzzy Hash: 0101d6531354824694e6a4c2353870c436a31327e899a350c383271ac8a52be0
Instruction Fuzzy Hash: 0821AF71600244AFE720DB66CD49FA6FBE8EF04314F088469E948CB641D371E909CA76

Uniqueness

Uniqueness Score: -1.00%

Function 00CCAA07 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00CCAA86

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: a27dfcdd6ded956b88231ca0aa6274c7a2051f669f3589b421ac6d348dc8f1b4
Instruction ID: 6f0fb0a7c262d39f887eddc39cd5546a819a110b7e9839ae8c33c2774483bebf
Opcode Fuzzy Hash: a27dfcdd6ded956b88231ca0aa6274c7a2051f669f3589b421ac6d348dc8f1b4
Instruction Fuzzy Hash: 152171B15053849FD711CB25DD45B52BFF8EF06714F0984AAE984CF163D235D908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,786378CC,00000000,00000000,00000000,00000000), ref: 00CCA40C

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f6c11ba9efd666cff2430003c0ff2289d1bd594ccb14bff21ec5c87c02fbab5e
Instruction ID: 19093f53d11d1c1924b71989f5959b7fd1c062250946c28675765463aadffe0a
Opcode Fuzzy Hash: f6c11ba9efd666cff2430003c0ff2289d1bd594ccb14bff21ec5c87c02fbab5e
Instruction Fuzzy Hash: D9219D75600608AFE720CF16CC88FA6F7ECEF04714F08846AE945CB691D360E949CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,786378CC,00000000,00000000,00000000,00000000), ref: 00CCA4F8

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: df1db4f412e62e55faebc642ab7911ff77ffd899ea9a49c8e74e0585c44696a3
Instruction ID: c048973c0b13b0af6e1783eacd972d0d481a1f525c4b0573f727362bde61fa41
Opcode Fuzzy Hash: df1db4f412e62e55faebc642ab7911ff77ffd899ea9a49c8e74e0585c44696a3
Instruction Fuzzy Hash: BE11D372600604AFE721CE15DC49FA7FBECEF14718F08855AED45CA641D370E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA2D2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00CCA330

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7e0fd1fc5835307f59e2812e82043e499fc94e8c2dbb98c19160148d37d65a48
Instruction ID: a281bd8856cfe367f1eafa1ba8548c6ad2856042f0081af27c46e644efdbd4c5
Opcode Fuzzy Hash: 7e0fd1fc5835307f59e2812e82043e499fc94e8c2dbb98c19160148d37d65a48
Instruction Fuzzy Hash: 3B212C7150E3C45FD7138B25DC59A62BFB49F47624F0D80DBDD848F1A3C265A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCAC24 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00CCAC80

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: c16fc65f94ef1a9fc83889d9bc57227bc970293ef3542dfc60f7eecfb3d2bebd
Instruction ID: 6007ffe9b86c1a3dc73375f5532da89902c76cb43c127b83150599a685e7b4da
Opcode Fuzzy Hash: c16fc65f94ef1a9fc83889d9bc57227bc970293ef3542dfc60f7eecfb3d2bebd
Instruction Fuzzy Hash: 23119071A093849FD712CB25DC84B52BFF8DF46224F0884EAED85CF652D275E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA8A4 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00CCA903

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6ccda62a843bc0b4d61ab8da024914bd625c90ad78f13fae0b1fd1810f461bfe
Instruction ID: 94786f57783b2ce8fa34ed6735c9925b4d4cc001f3ac80fc94ce15acc5bc69dc
Opcode Fuzzy Hash: 6ccda62a843bc0b4d61ab8da024914bd625c90ad78f13fae0b1fd1810f461bfe
Instruction Fuzzy Hash: DF1190716053849FDB11CF25DC85B56BFE8EF46220F0984AEED85CB652D234E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCAA3E Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00CCAA86

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 387c779904dbf28a6339d6eab918d19f0a34d907ee3d0c1cd6e1f98c98785517
Instruction ID: 4c50a464d17c5da0206d316eb0dcde3a81d1c95706ae11fefb384030260743d8
Opcode Fuzzy Hash: 387c779904dbf28a6339d6eab918d19f0a34d907ee3d0c1cd6e1f98c98785517
Instruction Fuzzy Hash: A611A171A002049FEB50CF26D989B66FBE8EF15724F08846EDD49CB752D235E904DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA8C6 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00CCA903

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 93ff8a32a9527a1fc6989465c986852db3995413a5c48924167d69a663ad6954
Instruction ID: 95735b3580f3d3bbb67570d3c258b41175d5983667ea3f592c73a44276f7724d
Opcode Fuzzy Hash: 93ff8a32a9527a1fc6989465c986852db3995413a5c48924167d69a663ad6954
Instruction Fuzzy Hash: 03019271A002059FEB10CF25DC89B66FBE8EF15724F0884AEDD45CB742D275D944CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCAC46 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00CCAC80

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 0ff2edfb1e4ef3e042f087f713d72be54f4561c67da1e22ca8a2e3ca25c63873
Instruction ID: 9378421e448e06a39c6b55b2a7c6394df5a4bcb07b0d0097909cddfa34afa45e
Opcode Fuzzy Hash: 0ff2edfb1e4ef3e042f087f713d72be54f4561c67da1e22ca8a2e3ca25c63873
Instruction Fuzzy Hash: F2018071A042049FDB10CF26D889B66FBE8DF05724F08C4AADD49CF652D376E908CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CCA330

Memory Dump Source

Source File: 00000000.00000002.1701484414.0000000000CCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cca000_1.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 80b679c323b713ee023664aacdaf578be06b9adb1fa312774bb855c21400e296
Instruction ID: 2f24824029beee714238a5737f3afcdf97f6b1c4556f3c34b15a1f8a8c5ebb5c
Opcode Fuzzy Hash: 80b679c323b713ee023664aacdaf578be06b9adb1fa312774bb855c21400e296
Instruction Fuzzy Hash: 58F081359042489FDB108F05D889B65FBE4EF15724F0CC0AADD494F762D275E508CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 04F80080 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702101475.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f80000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b756ae72ea463062d07e2045fa23cfb847c1de3510b6a3c0c7097a26b9102a4
Instruction ID: e631dc7f4ed5a61b1b23cfc8f7d114e3642049369ff47751e26dd023059f9062
Opcode Fuzzy Hash: 3b756ae72ea463062d07e2045fa23cfb847c1de3510b6a3c0c7097a26b9102a4
Instruction Fuzzy Hash: 38514032235657CBDB04FB34E59598A77B2BFA1308350896AE0448B36FDF349D19DB82

Uniqueness

Uniqueness Score: -1.00%

Function 04F80006 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702101475.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f80000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03945e7731a242fa78178ea85052f5c8600501ff27fd52254e73ed0173ecab75
Instruction ID: 3f7a1b02996f1aa983221c9b34403ea120e828a0d3cf089f394a0b38dac5cf95
Opcode Fuzzy Hash: 03945e7731a242fa78178ea85052f5c8600501ff27fd52254e73ed0173ecab75
Instruction Fuzzy Hash: 2A0104A681E7C09FD74347345CAA5913F71AE631157AB04C7C4C1CA1A3E91D690BD732

Uniqueness

Uniqueness Score: -1.00%

Function 04F80878 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702101475.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f80000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ef914b9554f30a11cd4957a3062391ac85d39fa6ee5e8b2c80f03218226a35
Instruction ID: d3998413c344d7a48ef319c95ea50a16745a5dd713ce213ca7999edfb7d8c22e
Opcode Fuzzy Hash: f5ef914b9554f30a11cd4957a3062391ac85d39fa6ee5e8b2c80f03218226a35
Instruction Fuzzy Hash: 171127746143438FCB00AB74D5998A9BBB1EF85308B04895EE486CB35AEB369819DB53

Uniqueness

Uniqueness Score: -1.00%

Function 012D05E0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701938228.00000000012D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12d0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fe72cf2f6a3ca0e7acced1bee9c3bd2521f022a361fcfbc5f545bf0574f521
Instruction ID: 4580dbe755a568629a3bc278f60da43215e05ab88f9cd91b130fea70bb5b880a
Opcode Fuzzy Hash: 95fe72cf2f6a3ca0e7acced1bee9c3bd2521f022a361fcfbc5f545bf0574f521
Instruction Fuzzy Hash: E701DBB65083906FD7018F05AC408A3FFF8EF86630709C0ABEC498B612D235A905C762

Uniqueness

Uniqueness Score: -1.00%

Function 012D0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701938228.00000000012D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12d0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5018f4ba6004ea4407710244e10b9970720371a3aac1907a9f225507e3289e9a
Instruction ID: e856f788d310c8a67f2ff7a22043ab8e0cf96eee19e8f8966c3c894d8ac0a109
Opcode Fuzzy Hash: 5018f4ba6004ea4407710244e10b9970720371a3aac1907a9f225507e3289e9a
Instruction Fuzzy Hash: 77E092B6A006005B9750DF0AFC41452F7D8EB84630708C17FDC0D8BB01D235F508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CC23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701465684.0000000000CC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc2000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a47c620f05885c26e7d7dc1adccb03da28ea13ad0ecac0841aa92a5dbb283c6
Instruction ID: c03a6ea7cb7f8631c706b2d5fe572f1e97708942bd37ee04f6ad1ce541e74963
Opcode Fuzzy Hash: 5a47c620f05885c26e7d7dc1adccb03da28ea13ad0ecac0841aa92a5dbb283c6
Instruction Fuzzy Hash: 09D05E7A2056C14FD31ADA1CC1A4F9537E8AB61714F4A44FDE800CB763C768DA81E600

Uniqueness

Uniqueness Score: -1.00%

Function 00CC23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701465684.0000000000CC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc2000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186fa849ae1721b4b4bd64c3d58ec93e310cf6d56329a4ef20994b7d4c86b0d6
Instruction ID: 76e4129d01d2a6d1be29bc03d754df1f85fcdd68969f59a378a689e3e604dfff
Opcode Fuzzy Hash: 186fa849ae1721b4b4bd64c3d58ec93e310cf6d56329a4ef20994b7d4c86b0d6
Instruction Fuzzy Hash: A3D05E343002C14BC715DA0CC6D4F5937D8AB50B14F1A44ECAC208B772C7A8D9C1CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 7580, Parent PID: 7480COMMON

Execution Graph

Execution Coverage:	24.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.6%
Total number of Nodes:	188
Total number of Limit Nodes:	7

Executed Functions

Function 0342BB6B Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0342BBEB

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d40c89efe91de0db51ed0bf8ce3bedc68a6bed9d8bafdfc614ed2968e8223117
Instruction ID: 19ec3d0d124b42c1077855e6aa9a95a3ea68953fe8b2a8ea450114a3b4f130f0
Opcode Fuzzy Hash: d40c89efe91de0db51ed0bf8ce3bedc68a6bed9d8bafdfc614ed2968e8223117
Instruction Fuzzy Hash: 88219F755097809FDB22CF25DC44B62BFF8EF06210F0884DBE9858F663D2759918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 061C0187 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 061C01FD

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 552de67f0b6860e77e8c746559fdf1a2cccb4222acf87a49b3de9e5a38cb4278
Instruction ID: cfbe65a02559d7ab19888b5b912af0db0d469426557eeb9f3397ce55513e8b2f
Opcode Fuzzy Hash: 552de67f0b6860e77e8c746559fdf1a2cccb4222acf87a49b3de9e5a38cb4278
Instruction Fuzzy Hash: 0F21AE754097C0AFDB238B21DC55A52FFB0EF17224F0984DBE9844B1A3D265A90DDB62

Uniqueness

Uniqueness Score: -1.00%

Function 0342BBA2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0342BBEB

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 062401eda9407defd3e0cd07fc94bed3964b2222e2b57ebd9dd0bad86389b551
Instruction ID: 05155c383761368de348fb0b6ea8aa40c0aded177b1d15431126b18b5d026248
Opcode Fuzzy Hash: 062401eda9407defd3e0cd07fc94bed3964b2222e2b57ebd9dd0bad86389b551
Instruction Fuzzy Hash: E0119E716006009FDB20CF16D884B62FFE8EF08220F0888AAED458F652D735E418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0342BED0 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 0342BF2D

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: fcce1bb8a59a95bf63ffb7de4d238ad80757138637708961afbddb0bee88abfb
Instruction ID: 4cf3571422d91ab5d649d00e8c8a7764aa9aefa98c06438d3ea7aa20bae00f31
Opcode Fuzzy Hash: fcce1bb8a59a95bf63ffb7de4d238ad80757138637708961afbddb0bee88abfb
Instruction Fuzzy Hash: C611A3714097809FCB228F11DC45B52FFF4EF46210F09C49AED844B662C275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 061C01C2 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 061C01FD

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 21efb05e70cfab981531a712d5e0492231212da33c087391721d79a0cf3ee62c
Instruction ID: 4197db73d7cc0672cf9200e6a0c34ed3d167d3f37223466dca8528931d3deed5
Opcode Fuzzy Hash: 21efb05e70cfab981531a712d5e0492231212da33c087391721d79a0cf3ee62c
Instruction Fuzzy Hash: 43018B75900600DFEB608F55E885B66FBE0EF29625F08C49EDE490B752C376E418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0342BEF2 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 0342BF2D

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 725721ad1bf34509fee34a36343a5cc8e69850a7cb6281c509f96da8ea37d57d
Instruction ID: 714b8ae02ea768b86f53dca18039a8cadd878c6208492ae05b3d25a99ee9824b
Opcode Fuzzy Hash: 725721ad1bf34509fee34a36343a5cc8e69850a7cb6281c509f96da8ea37d57d
Instruction Fuzzy Hash: 370178359006409FDB20CF45D885B62FFE4EF19620F08C49ADE898A752C375E418DF66

Uniqueness

Uniqueness Score: -1.00%

Function 05D20310 Relevance: 7.7, Strings: 6, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 05D204E9
2l, xrefs: 05D2048B
[Xi^, xrefs: 05D20545, 05D2054A
2l, xrefs: 05D20554
-[Xi^, xrefs: 05D204DA, 05D204DF
=[Xi^, xrefs: 05D20477, 05D2047C

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: [Xi^$-[Xi^$2l$2l$2l$=[Xi^
API String ID: 0-1715069125
Opcode ID: b25dc769c62bb4803285a1648e0b4513513331fd8cd745a3b9ca12562e3fdd1a
Instruction ID: 36d407bb02419c30768668b0e01f19225e81a19521ea4971ad3e22c0b670ac33
Opcode Fuzzy Hash: b25dc769c62bb4803285a1648e0b4513513331fd8cd745a3b9ca12562e3fdd1a
Instruction Fuzzy Hash: 09510F34B042258FC708EB3994586BE76E3ABD9208B44456BE406EF394DF39CC4687B6

Uniqueness

Uniqueness Score: -1.00%

Function 05D203BD Relevance: 7.6, Strings: 6, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 05D204E9
2l, xrefs: 05D2048B
[Xi^, xrefs: 05D20545, 05D2054A
2l, xrefs: 05D20554
-[Xi^, xrefs: 05D204DA, 05D204DF
=[Xi^, xrefs: 05D20477, 05D2047C

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: [Xi^$-[Xi^$2l$2l$2l$=[Xi^
API String ID: 0-1715069125
Opcode ID: a7426e457ceed596ca87bbc36f964600f2969019c58661e25e88cb2da8264f49
Instruction ID: 034fec02137f81f5151088c0fd4a8a4506807735525f0cf10481548f19c96557
Opcode Fuzzy Hash: a7426e457ceed596ca87bbc36f964600f2969019c58661e25e88cb2da8264f49
Instruction Fuzzy Hash: 2741DF34B001258BC748EB7980586BE36D3AFD9208744456AD406EF7A4DF68CC0697BB

Uniqueness

Uniqueness Score: -1.00%

Function 05D21929 Relevance: 4.1, Strings: 3, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@k, xrefs: 05D21BAF
\Ol, xrefs: 05D21AA4
:@k, xrefs: 05D21BC0

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: :@k$:@k$\Ol
API String ID: 0-3451677246
Opcode ID: ecfb15d00ac9121068842a6bd72fafed200bc42bcd22f202272fdac1b088cdf5
Instruction ID: 5a3baaca69094eb2e9bf4b7d5069e8d3b1c07a9bea8ee79831e9331a4ef1f565
Opcode Fuzzy Hash: ecfb15d00ac9121068842a6bd72fafed200bc42bcd22f202272fdac1b088cdf5
Instruction Fuzzy Hash: 9CC15B38B041508BDB089B79E9557BA37E7FBE8248F10802BD4469B794CB39CC46DB72

Uniqueness

Uniqueness Score: -1.00%

Function 05D21999 Relevance: 4.0, Strings: 3, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@k, xrefs: 05D21BAF
\Ol, xrefs: 05D21AA4
:@k, xrefs: 05D21BC0

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: :@k$:@k$\Ol
API String ID: 0-3451677246
Opcode ID: ba2fe54209289c37a69a0f229b818782bf8be41a8dad422c5aa039782393509d
Instruction ID: f3ef4e039cb2643f0abd26b87ad0f0e5a82693c33d0ee32a55606217e48cd3d3
Opcode Fuzzy Hash: ba2fe54209289c37a69a0f229b818782bf8be41a8dad422c5aa039782393509d
Instruction Fuzzy Hash: D5A15D387041608BDB18AB79D8157BA36E7FBE824CF20802B94469B794CF78CC46D772

Uniqueness

Uniqueness Score: -1.00%

Function 05D219B7 Relevance: 4.0, Strings: 3, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@k, xrefs: 05D21BAF
\Ol, xrefs: 05D21AA4
:@k, xrefs: 05D21BC0

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: :@k$:@k$\Ol
API String ID: 0-3451677246
Opcode ID: d2b4c4b16e5938fdf4400398366ac81c9fa91533e3334a26898a60847c6eb3f5
Instruction ID: f769b3a3bf789e2f5dad378382c707374987caeebc026db68750a5f0c7137446
Opcode Fuzzy Hash: d2b4c4b16e5938fdf4400398366ac81c9fa91533e3334a26898a60847c6eb3f5
Instruction Fuzzy Hash: 39A15E787041608BDB19AB79D8157BA36E7FBE824CF20802B94469B794CF78CC46D772

Uniqueness

Uniqueness Score: -1.00%

Function 05D219CA Relevance: 4.0, Strings: 3, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@k, xrefs: 05D21BAF
\Ol, xrefs: 05D21AA4
:@k, xrefs: 05D21BC0

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: :@k$:@k$\Ol
API String ID: 0-3451677246
Opcode ID: 00c8ebcea21ad3602a2c3da521453ade1cc9350032644de0b5c288fe5673f4a0
Instruction ID: 0b0d4c506752b695184e3ddd3fe74d846a4d34ea69b4db7f007c79c8efcfd5f4
Opcode Fuzzy Hash: 00c8ebcea21ad3602a2c3da521453ade1cc9350032644de0b5c288fe5673f4a0
Instruction Fuzzy Hash: 37A15F787041508BDB19AB79D8157BA36E7FBE824CF20802B94469B794CF78CC46D772

Uniqueness

Uniqueness Score: -1.00%

Function 05D20958 Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@k, xrefs: 05D20B23
\Ol, xrefs: 05D20EB9

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: :@k$\Ol
API String ID: 0-2913639173
Opcode ID: 83a55e445c26fa08f88562b0e00fa7facac12e4917cea2655025161ccfd8148e
Instruction ID: 289df15f3bea1fdbd82289eac15f0ee576fb794f61cfbeac88583e89234a7aa7
Opcode Fuzzy Hash: 83a55e445c26fa08f88562b0e00fa7facac12e4917cea2655025161ccfd8148e
Instruction Fuzzy Hash: 3E025D34B002159FDB18EB78D455AAE77E2FFC8208B14846AD406DB7A4DF399C86CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05D20509 Relevance: 2.6, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[Xi^, xrefs: 05D20545, 05D2054A
2l, xrefs: 05D20554

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: [Xi^$2l
API String ID: 0-3711275875
Opcode ID: 29b36829241237b9efc9e8a8b3e4d791e850638e3369e325845498b1ed50f924
Instruction ID: 5b05a272e79c1b8e9003ef796a5bc2cc302b38797a1da2504f58e365925fbe9f
Opcode Fuzzy Hash: 29b36829241237b9efc9e8a8b3e4d791e850638e3369e325845498b1ed50f924
Instruction Fuzzy Hash: 8101FC24B041218B8B89FB7A046837E29D35FDA108308442FD00AFF795DF28CC0197EB

Uniqueness

Uniqueness Score: -1.00%

Function 05D21ECF Relevance: 1.6, Strings: 1, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L.l, xrefs: 05D21F3B

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: L.l
API String ID: 0-1469302089
Opcode ID: 83543457c3ad8a6055dacb6b4c5040415db8d86f946d793a56fa1fe1ed54be69
Instruction ID: cd4cdfb3d0d21f70a3c6760b869f914153ba9908d7c67b7854d90a62dcedfacf
Opcode Fuzzy Hash: 83543457c3ad8a6055dacb6b4c5040415db8d86f946d793a56fa1fe1ed54be69
Instruction Fuzzy Hash: 14D19D34B012118FDB18EB75C580BAE77E2AF98308F14847AE556DB790EB38DC46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 061C0D6B Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 061C0E32

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 53815cc674150af30dfa5ff3a8f047de5194b60f3844bb5dabbe4576eb68c7f2
Instruction ID: 0ea5ab9e08fb9df64d5bfa6db797262e2b1fe19bdffb29f2d62f13a4ed12b11b
Opcode Fuzzy Hash: 53815cc674150af30dfa5ff3a8f047de5194b60f3844bb5dabbe4576eb68c7f2
Instruction Fuzzy Hash: 09316D6550E3C0AFD3138B358C61A61BFB4EF47610B0E45CBE8C48F6A3D2296909D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 061C1FA8 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C2057

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 3196d52242bd0edc9e001870a9edd88d6fd159f0b629773f157149eec2dbc05f
Instruction ID: 360517cea6f9778c780efb1436bc14c7363d2ef486b4889f6506c2c7036112d4
Opcode Fuzzy Hash: 3196d52242bd0edc9e001870a9edd88d6fd159f0b629773f157149eec2dbc05f
Instruction Fuzzy Hash: FE317A715093C05FE7138B658C65B96BFB8DF47210F0984DBE984CF1A3D6249909C772

Uniqueness

Uniqueness Score: -1.00%

Function 061C1998 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 061C1A5F

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 3646e943edf989581ab39a92bc737804db2cc70f9ab0775b9aa75468b1b7b6f5
Instruction ID: 895178e003117cc8f2f7ae104b43e10564584506c90ef67e121977ea48f190ce
Opcode Fuzzy Hash: 3646e943edf989581ab39a92bc737804db2cc70f9ab0775b9aa75468b1b7b6f5
Instruction Fuzzy Hash: ED31D1B1500340AFE721CB51CD85FA6FBACEB44310F04489AFA489B292D374A94CCB75

Uniqueness

Uniqueness Score: -1.00%

Function 061C1890 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C192D

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 92787114d23267ad8f04aade0e7ecb7b812058565f0ea512340a5bd8ec750575
Instruction ID: 3c0c3d60d0d3d40eddaba2cdc840d0b069f83880582048e9c579814d23ae7921
Opcode Fuzzy Hash: 92787114d23267ad8f04aade0e7ecb7b812058565f0ea512340a5bd8ec750575
Instruction Fuzzy Hash: 4631F7725093806FE7128F21DC55B96BFB8EF06320F08849BE984CB153D3259949C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 061C218E Relevance: 1.6, APIs: 1, Instructions: 91
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 061C2246

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: a9bb882fda1b88fdf45604a7429eab953842d93dda71704eb31c18b2307c9002
Instruction ID: 4f65fe52ca1b50789bd8eb143e0ee1bbe3b7f906ec017b935c588ee5316cc704
Opcode Fuzzy Hash: a9bb882fda1b88fdf45604a7429eab953842d93dda71704eb31c18b2307c9002
Instruction Fuzzy Hash: 1C318FB150D3C45FD7038B218C61A62BFB4EF47610F0A84CBD884DF6A3D6246909D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0342AB1E Relevance: 1.6, APIs: 1, Instructions: 91
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0342ABD1

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ea0c14f73a9bcd953f5d38a001999003c02c82ea6da5a0c5ecae146aaed4c5f0
Instruction ID: b014e1623f3047a850e4fa331666fa0fc27afc196780316a94e94136c83a082c
Opcode Fuzzy Hash: ea0c14f73a9bcd953f5d38a001999003c02c82ea6da5a0c5ecae146aaed4c5f0
Instruction Fuzzy Hash: 6831B3715093846FE7228B65CC84FA7BFBCEF06210F08849BE984CB252D324A94CC775

Uniqueness

Uniqueness Score: -1.00%

Function 061C1284 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 061C131B

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 0e2f3ba4d3364bb1e21322d87f0ea8d3f754cfd36b312d7e350de314d8138ec0
Instruction ID: 53c62e8b88229fb0fde9694c371bc1955c16ca3c7d9755022ca35322779774d8
Opcode Fuzzy Hash: 0e2f3ba4d3364bb1e21322d87f0ea8d3f754cfd36b312d7e350de314d8138ec0
Instruction Fuzzy Hash: 0631C3715043446FE721CB65DC45FABBBF8EF05224F08849AF944CB652D324E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0342BDD8 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342BE6C

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: eb46d2d1b2806a8a1ada99408d75e0f1cbe801ef1e6cf44533a47b413c6b9ce4
Instruction ID: 87cbbe0191e0cec554293d19ef270a33dc6b72288e5247128131e24c5e503d34
Opcode Fuzzy Hash: eb46d2d1b2806a8a1ada99408d75e0f1cbe801ef1e6cf44533a47b413c6b9ce4
Instruction Fuzzy Hash: EC21E4B15093805FE7128B25DC55BA6BFB8EF47320F0884DBE984DF293D264A909C765

Uniqueness

Uniqueness Score: -1.00%

Function 0342A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0342A6B9

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6d31e90742348f2fb134637e927399da6a2c73e82bc039248ce93dcd195f3c02
Instruction ID: 59d889686b41489aef45a2e0666516a8faca6cb21c73827807ba999d7bbeb376
Opcode Fuzzy Hash: 6d31e90742348f2fb134637e927399da6a2c73e82bc039248ce93dcd195f3c02
Instruction Fuzzy Hash: 6E3190B15097805FE711CB65CC85B96FFF8EF06210F08849AE984CF292D365E909C765

Uniqueness

Uniqueness Score: -1.00%

Function 0342AE79 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0342AF1D

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0262431be6beed0997b952414485d90a2d82e36e8f77e4ae6cc7a128f74d9904
Instruction ID: 66de16e0536fe3f34eb32535415ba8001e852604f9924e667bdee06795633a04
Opcode Fuzzy Hash: 0262431be6beed0997b952414485d90a2d82e36e8f77e4ae6cc7a128f74d9904
Instruction Fuzzy Hash: A431AFB1504340AFE721CF65CC85FA2FBF8EF09210F08849EE9899B652D375E508CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0342A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342A40C

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6b977bc35b5b34f7f9108cdc5f0967943772d774e8a82fe43eb8d3e02f301f6f
Instruction ID: 8c4bb188c3a6c9c7e20f31ddab9efaa7d5938ea2d2ce163a9029425733dbe1b5
Opcode Fuzzy Hash: 6b977bc35b5b34f7f9108cdc5f0967943772d774e8a82fe43eb8d3e02f301f6f
Instruction Fuzzy Hash: A0317C75505780AFE722CB15CC84F93FFF8EF06210F08849AE985DB292D324E949CB65

Uniqueness

Uniqueness Score: -1.00%

Function 061C19BA Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 061C1A5F

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: af93504a4c695b9f30471d100500942c8f55332d4d261c281335d695f735e883
Instruction ID: 83274adfb7c8d34dd5bafa5a0eca2b2cda53a749bd6c94af726a7398c130edd6
Opcode Fuzzy Hash: af93504a4c695b9f30471d100500942c8f55332d4d261c281335d695f735e883
Instruction Fuzzy Hash: 3D21BF71500204AEEB20DB51CD85FAAF7ACEB44724F04885AFA499A681D774E54C8BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0342A120 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 0342A1C2

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: c930fc8e8cfb79310e6579cfd474b138b58010dd2d266c17cc90565f5536f616
Instruction ID: 24bc14366a9530c1832a141f30d8ab27619e43ac54f41e81f72730a8e5052047
Opcode Fuzzy Hash: c930fc8e8cfb79310e6579cfd474b138b58010dd2d266c17cc90565f5536f616
Instruction Fuzzy Hash: 7121A37150D3C05FD3028B258C61BA6BFB4EF87610F1985DBD8C4DF6A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0342AF74 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342B009

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 965602d9c5b7ae85eb69c1290761812a79c83f07eae17601b5a68ee25c309598
Instruction ID: c19040bbb15c9d27f84c1fcddd9a9c9653ca08fcd5cbedff55736ac10b7cab71
Opcode Fuzzy Hash: 965602d9c5b7ae85eb69c1290761812a79c83f07eae17601b5a68ee25c309598
Instruction Fuzzy Hash: D52128B55097806FD7128B25DC45BA2BFBCEF47324F0880DAE9848F293D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 061C143A Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 061C14CE

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 535bcb973fccb69165159c4e98b9db2950fb5f9de4e424fe653ce58e4337bdae
Instruction ID: dda5888a065aa2f3a7c683c0b91f3e7530478c1d16ae6c2346e88a84148e0f61
Opcode Fuzzy Hash: 535bcb973fccb69165159c4e98b9db2950fb5f9de4e424fe653ce58e4337bdae
Instruction Fuzzy Hash: 0A21B171405384AFE722CF55CD45F96FBF8EF0A224F04849EE9898B252D375E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 061C0E5E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 061C0EEA

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 0db6091e446c370032a73898cce9d88b514770982c69bfa1dc21bea261fc095f
Instruction ID: 31e6167e568506c81c0749b5f78f4350b2d171c17c5fb20bce7c30a6ce5751f0
Opcode Fuzzy Hash: 0db6091e446c370032a73898cce9d88b514770982c69bfa1dc21bea261fc095f
Instruction Fuzzy Hash: 7821D071409380AFE721CF55CC45F96FFF8EF09220F08889EE9858B652C375A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0342A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342A4F8

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1a87adb46edd03865ee185f93c0b8d150f24381b143d92587b4dde365b9fbf85
Instruction ID: 326839eb7526ed169aebea8c8714989b50e36d994eed3d56a9fbeb363a92d658
Opcode Fuzzy Hash: 1a87adb46edd03865ee185f93c0b8d150f24381b143d92587b4dde365b9fbf85
Instruction Fuzzy Hash: 3021AEB25043806FD722CB11DC44FA3BFB8EF46210F08849AE985DB652C364E848CB75

Uniqueness

Uniqueness Score: -1.00%

Function 061C1192 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C1230

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 769382d884a67f34ce412050a79b8ef4e838929a5ec0ff7436e2a4099381fdf5
Instruction ID: 81583769dda0e8f85db63ee756ae348716da6072b4ab44719e3295d3644087cb
Opcode Fuzzy Hash: 769382d884a67f34ce412050a79b8ef4e838929a5ec0ff7436e2a4099381fdf5
Instruction Fuzzy Hash: 0921A175904380AFD721CB65CC55F97BBF8AF46220F08849AE945DB292D324E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 061C00B8 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,A3B420CB,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 061C013E

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: eb91ea29bb4aa7a822e61b24990124274281a982d56e7a62b6991eb533f325ba
Instruction ID: afb010a2c08061d027165f905fad69c4465090bb5f1ab0c5cb884c2a58edd538
Opcode Fuzzy Hash: eb91ea29bb4aa7a822e61b24990124274281a982d56e7a62b6991eb533f325ba
Instruction Fuzzy Hash: 74219C715093C09FDB138B65DC55A96BFB4AF47220F0D84EBD984CF1A3D2249918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 061C12AA Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 061C131B

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 0401d66bc9829db00602b85cd1d099bcddc471cd070c31d3e949a2e27329bf37
Instruction ID: 083ae18942d6f685324364d2399b1a8450be9600e4f93e382d4f63bd3fd340d9
Opcode Fuzzy Hash: 0401d66bc9829db00602b85cd1d099bcddc471cd070c31d3e949a2e27329bf37
Instruction Fuzzy Hash: 0121D471600204AFEB20DF65DD45FABBBECEF04624F04886EE945CB742D774E5488AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0342B304 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342B389

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: edb69c969caccdb61ab9850114be1f37a3c6ae35bee2a28a3a5d5891758418df
Instruction ID: 5439d8e31eabba47ee0c967e147bdcede035d5ded73b92e77693d67caabd04ee
Opcode Fuzzy Hash: edb69c969caccdb61ab9850114be1f37a3c6ae35bee2a28a3a5d5891758418df
Instruction Fuzzy Hash: 7D21F5715043406FE722CF55DD40FA7BFBCEF46310F08889AF9849B252C265A508CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0342AE9E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0342AF1D

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b5214bc4fb50b29806a1e2b947f02d6f866cb7ff75c08e580660a677000c6963
Instruction ID: df42faaf2db724e735d019101fa4f20d782bd4f3aa0c405570f54cd40a941cbe
Opcode Fuzzy Hash: b5214bc4fb50b29806a1e2b947f02d6f866cb7ff75c08e580660a677000c6963
Instruction Fuzzy Hash: 1021AEB1600240AFEB20CF65CD45B66FBE8EF08610F08886AED49DB751D775E508CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0342AB52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0342ABD1

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1ce59a50f81a2a22a0e37d18a633c5277894efb066af56d594ea14cf3536a092
Instruction ID: 4dc7437e2923251415afb2542eeb1c8068afca0ab612f3cc462c6fbbb59194e7
Opcode Fuzzy Hash: 1ce59a50f81a2a22a0e37d18a633c5277894efb066af56d594ea14cf3536a092
Instruction Fuzzy Hash: 5921BB72500204AEE720DB55CD84FABFBECEF08214F08845BEE459B642D724E54CCABA

Uniqueness

Uniqueness Score: -1.00%

Function 061C20BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C213B

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f1165f3d520f20a971796bd4257a85a682e0b481457d7bb080834b8d68699f4f
Instruction ID: 3eb84db9af3326a68a3536ad62f6f5277070115db989cc6fdca0964cee78b709
Opcode Fuzzy Hash: f1165f3d520f20a971796bd4257a85a682e0b481457d7bb080834b8d68699f4f
Instruction Fuzzy Hash: 4D21D4715053846FD721CB25DC95FA7BFB8EF46220F0884ABE944CB252D374A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0342A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0342A6B9

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bf76ee6a805ff2c063a2cee4416cda6f06d9d9aad0b010a8579a3a831f67893f
Instruction ID: b39c8988d769a56ffc31b374463c2d4ee18d0a04480633e91dd11e274cc6df42
Opcode Fuzzy Hash: bf76ee6a805ff2c063a2cee4416cda6f06d9d9aad0b010a8579a3a831f67893f
Instruction Fuzzy Hash: C221D4716002509FE720CF65CD45BA6FBE8EF04210F08846AED88DF751D771E909CA7A

Uniqueness

Uniqueness Score: -1.00%

Function 0342B9F3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0342BA6A

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 22133d6c19b56d02d2d6baf5b9d850811ef2ee37c34fbb74e72dbb4e0f1ce0de
Instruction ID: 4475ed7c31f27968861ade07f62a191268e4af4ec3098350860d43ab26ade47a
Opcode Fuzzy Hash: 22133d6c19b56d02d2d6baf5b9d850811ef2ee37c34fbb74e72dbb4e0f1ce0de
Instruction Fuzzy Hash: 66215E716093805FEB21CF25DC55B63BFF8EF46210F0884DAE985DF652D265E408DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0342A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342A40C

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e7965b9d624f940e117190176c9d5bce9d6dea7b41809fd1c8cf307b901ec70f
Instruction ID: cf5553e5dd593a96f97dab9fedc0bf9ca254ce13425c5753f1b1ea61a1b4f55b
Opcode Fuzzy Hash: e7965b9d624f940e117190176c9d5bce9d6dea7b41809fd1c8cf307b901ec70f
Instruction Fuzzy Hash: 17216A75600614AEE720CE15CD84FA7FBECEF04620F08846AED45DB751D760E949CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0342A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0342A780

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ace3f821dc2d07f7ad5f70fd256601b380c2e02ad4b7879346f5471cc1b31331
Instruction ID: c2fcf5f73274ce3c1e7b4d340f2fa8294968ff5cf309cfc3aa7228c9a4994756
Opcode Fuzzy Hash: ace3f821dc2d07f7ad5f70fd256601b380c2e02ad4b7879346f5471cc1b31331
Instruction Fuzzy Hash: D821C3B55047809FD7118B25D985792BFB8EF46220F0884EBDD848B653D2359909DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0342AC19 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0342AC97

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2529407bb11b916bda114e68ffc9e19c4c9e2685a1045435c355bb2e69a60cf4
Instruction ID: 72e0eaf4e408fd2c3a550def6367990d394e2df379db3a106e5b005579881dea
Opcode Fuzzy Hash: 2529407bb11b916bda114e68ffc9e19c4c9e2685a1045435c355bb2e69a60cf4
Instruction Fuzzy Hash: D221C2715093C45FDB12CB25D885B92BFE8EF46224F0884EBD885CF253D2749449DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0342BC38 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0342BCA4

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 138d3cf7b8d6f44ac06cf8c7025fe6954033d1a0a6a02342db199cb699f55e57
Instruction ID: fd92a08b43d18e6a3e57ce09d3e6e3cd0442bbcc517a452781baae05c0af59c9
Opcode Fuzzy Hash: 138d3cf7b8d6f44ac06cf8c7025fe6954033d1a0a6a02342db199cb699f55e57
Instruction Fuzzy Hash: C221AEB25093C05FDB128B25DC95792BFB4AF47224F0D84DBE8858F663D264A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 061C145A Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 061C14CE

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: ae7c0e4cdd42d0daa450a8ee8f6aaeb27107f3719133ed9a67ee56891f1cd019
Instruction ID: 379e87b980a2dae07fda021e3021ecbfa2b21e903649011b75237ae037ad5712
Opcode Fuzzy Hash: ae7c0e4cdd42d0daa450a8ee8f6aaeb27107f3719133ed9a67ee56891f1cd019
Instruction Fuzzy Hash: 6C212071500200AFE721CF55CD85FAAFBE8EF19224F04885EE9498B742D371E508CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 061C0E7E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 061C0EEA

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d597c35a2125a97b69b08eec406f1829e1cd0656231184c03a32aeecec225167
Instruction ID: c81c1d52b347ac4a2ac6e5ec2a45eb9d8681c18f679b9fa683cbfdfe2577364e
Opcode Fuzzy Hash: d597c35a2125a97b69b08eec406f1829e1cd0656231184c03a32aeecec225167
Instruction Fuzzy Hash: D5210171500200AFEB20CF55CD41BAAFBE8EF18324F04885EE9458B641C376E448CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 061C1B6A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 061C1BE6

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: ba1efaa40cd73bfe2e01a1e44090244b39be598efe1f1b6611a8df36db9b1746
Instruction ID: 71db9443aeb6fddc8d4ef8bb0cd9c7371f5d011d3350a0b6848ca44bbbf08162
Opcode Fuzzy Hash: ba1efaa40cd73bfe2e01a1e44090244b39be598efe1f1b6611a8df36db9b1746
Instruction Fuzzy Hash: 6E219271548780AFDB228F51DC44B62BFF4EF46210F0884DAE9858B663D335A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 061C11BE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C1230

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 19cf95848463746c56774297b42ba9bc86a63d84fe4a05855955a0cd38303845
Instruction ID: ac7726079beea8f28d0d1e3a66483845bf34111582928c26a374d5e4e590d1a2
Opcode Fuzzy Hash: 19cf95848463746c56774297b42ba9bc86a63d84fe4a05855955a0cd38303845
Instruction Fuzzy Hash: DF11B176A00200AFE760CF25DC41FAAF7ECEF15620F18845AE945CB752D370E548CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0342A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342A4F8

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 85ed1fdaf3a594d38d8d614992f91d6cd18f7ee57cc5237f54b4b8182eff119d
Instruction ID: 43c245985fc6df187b691bd1241b466498a638e1b88799fe95f52b1b2a340a0b
Opcode Fuzzy Hash: 85ed1fdaf3a594d38d8d614992f91d6cd18f7ee57cc5237f54b4b8182eff119d
Instruction Fuzzy Hash: 5811BEB6600610AFEB20CE15DC45FA7FBECEF04614F08845AED49DA741DB60E548CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 061C18CE Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C192D

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 0ad7277be01ce4db463db56079448991de1eb2e2c6a7980878ebb090e6aa207a
Instruction ID: cd2347fde9f630b1539bf467c55a34148ce60bf2d501128a324ee8e62ee7dc76
Opcode Fuzzy Hash: 0ad7277be01ce4db463db56079448991de1eb2e2c6a7980878ebb090e6aa207a
Instruction Fuzzy Hash: 2311E672600200AFEB218F55DC45BAAF7ECEF15320F04846AE945CB652D374E548CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0342ADB4 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0342AE1E

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d4b76f3bd81186e6a91853e262c5b63bf57bc46c18c83f3cb34559ee552d3c44
Instruction ID: fc4fcca39ebd309a2c4480eaabfd1da93f96fc3c76d00e5208f79e4d84611877
Opcode Fuzzy Hash: d4b76f3bd81186e6a91853e262c5b63bf57bc46c18c83f3cb34559ee552d3c44
Instruction Fuzzy Hash: DB115CB1A453809FD721CB25DC85BA7BFE8EF46610F0884ABED45DB652D224E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 061C1FFE Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C2057

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: fabe7ced719115960cf2bda7577c4387934e35acd210ca3fc06e45a3bf13b8df
Instruction ID: 992aedbed5bc98ed74385399f572094d142da536a8c4a0f3bea472e4fa353800
Opcode Fuzzy Hash: fabe7ced719115960cf2bda7577c4387934e35acd210ca3fc06e45a3bf13b8df
Instruction Fuzzy Hash: 99110471600200AFEB20CF15DC55BAAF7E8DF54220F08846BED05CB641D374E548CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 061C20E2 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 061C213B

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: fabe7ced719115960cf2bda7577c4387934e35acd210ca3fc06e45a3bf13b8df
Instruction ID: a08837def5e984882ff33f8b85018dca15dac4f4e5e66f2dc1e0c9968969bcae
Opcode Fuzzy Hash: fabe7ced719115960cf2bda7577c4387934e35acd210ca3fc06e45a3bf13b8df
Instruction Fuzzy Hash: 88110475600200AFE720CF19DC85BAAB7E8EF14620F08846AEA44CB641D375E5088AB6

Uniqueness

Uniqueness Score: -1.00%

Function 061C023C Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061C02AE

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b187dbb1435746e8e9b25e97b1574db207f0fea179ca64f5772cbe5b53988dc2
Instruction ID: d01fff91c95b6d219648a7e5530c36b67a41983b6881a64fae1c9177025f6ef6
Opcode Fuzzy Hash: b187dbb1435746e8e9b25e97b1574db207f0fea179ca64f5772cbe5b53988dc2
Instruction Fuzzy Hash: B821D5714493809FCB228F61DC54A56FFF4EF4A320F0888DEE9858F562C375A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0342BE16 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342BE6C

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4bd2f24510c4a9814dbae6975ebe91a706dc3d780774284928bd704c3528fc35
Instruction ID: 1c4cc3149d98ba40c12ec51b13642c097f9ccaf3b9e43826016aadc281f36f33
Opcode Fuzzy Hash: 4bd2f24510c4a9814dbae6975ebe91a706dc3d780774284928bd704c3528fc35
Instruction Fuzzy Hash: 3511C171600200AFEB10CB15DC85BA6BBECDF45224F0884AAEE44DF741D774A5488AB6

Uniqueness

Uniqueness Score: -1.00%

Function 0342B32A Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342B389

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: aa948fc5dc75bef4111ffa68f509935e36085f1d740fffdf9fdda36bfa16ef1c
Instruction ID: 2c98cd4678cbfec15c014ef3e7a60eef0f296bb05f87f40d9a7ee85946832385
Opcode Fuzzy Hash: aa948fc5dc75bef4111ffa68f509935e36085f1d740fffdf9fdda36bfa16ef1c
Instruction Fuzzy Hash: 4C11EF72500200AFEB21CF55DC40FA6FBE8EF04324F08885AE9489F652C374A5088BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0342AA81 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0342AAE0

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: efe6e808cd89c364e50d85da7d386220924a6277cb16cf426e59d4053fa94bca
Instruction ID: b3f5332e34f1800a2fc8947f87f0622548788c774bba7d2dfb65c177cf4eeb20
Opcode Fuzzy Hash: efe6e808cd89c364e50d85da7d386220924a6277cb16cf426e59d4053fa94bca
Instruction Fuzzy Hash: 36119D715093C09FDB128B21DC45B92BFB4EF47220F0888DBED848F253C275A948DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0342A2D2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0342A330

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 128515e37a314b2dc4092b0559413ab3a4c697feb662e8c6d959e5b84be26fee
Instruction ID: cb9f041aa7b04d273d1e846445c7f7e2627fdb66220818a66f368072c2fc0794
Opcode Fuzzy Hash: 128515e37a314b2dc4092b0559413ab3a4c697feb662e8c6d959e5b84be26fee
Instruction Fuzzy Hash: 05118F754093806FD7128B15DC44B62BFA8EF46220F0C80DBED849F253C265A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0342ADD6 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0342AE1E

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 222bbf417dcebeaa4c4c6d90760c55a1be51a6270f308750f677b2ed0b062138
Instruction ID: a6311917fc1dc76bfc2626fcbd0b720ab5df9e35671228124b5492381120a7c7
Opcode Fuzzy Hash: 222bbf417dcebeaa4c4c6d90760c55a1be51a6270f308750f677b2ed0b062138
Instruction Fuzzy Hash: 601182B1A002108FDB10CF15D885766FBE8EF14610F0884ABDD49DF741D635D405CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0342BA22 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0342BA6A

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 222bbf417dcebeaa4c4c6d90760c55a1be51a6270f308750f677b2ed0b062138
Instruction ID: 109e9594cc9fe96a5be2acddbcf62e35925eac51acce7137f075b5abb473c9d0
Opcode Fuzzy Hash: 222bbf417dcebeaa4c4c6d90760c55a1be51a6270f308750f677b2ed0b062138
Instruction Fuzzy Hash: F3117CB1A002008FEB60CF29D885B66FFE8EB54220F0884AADD49DF742D674E504CA76

Uniqueness

Uniqueness Score: -1.00%

Function 0342B1A8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0342B1FC

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c7211c0b0c0cd57d56aae0dd165a4857bd226247741da50af5509d5381f1b7b0
Instruction ID: cfb1ec3adf1b90f92d485df972e66cd649e8ec95ad7923c8858f7118ec5ba604
Opcode Fuzzy Hash: c7211c0b0c0cd57d56aae0dd165a4857bd226247741da50af5509d5381f1b7b0
Instruction Fuzzy Hash: A411C2755093809FC7128F15DC85B66FFB4DF46220F0884DBED858F652D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0342AFB6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,A3B420CB,00000000,00000000,00000000,00000000), ref: 0342B009

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1d6647f5d69ee37a647ee3f7d99e59eb5aa716c7244e2fb00973cf0cabeec779
Instruction ID: 5d8d981cc05baef2760cb831ba76abb4e6a2935f1e75bc37319ceddf9c95c34b
Opcode Fuzzy Hash: 1d6647f5d69ee37a647ee3f7d99e59eb5aa716c7244e2fb00973cf0cabeec779
Instruction Fuzzy Hash: EA01C071604214AEE721CB05DD85BA6FBECDF55624F08809BED089F741D374E5488ABA

Uniqueness

Uniqueness Score: -1.00%

Function 0342A9E4 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0342AA3B

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 45ecea33721fe5309548978ae6970ebc610f94c899c4bb28a737f69fcfd7678c
Instruction ID: 6f7c74a819ec0adc25042c683c0d4dcf3f625d47941ea319ef4b9639053945bb
Opcode Fuzzy Hash: 45ecea33721fe5309548978ae6970ebc610f94c899c4bb28a737f69fcfd7678c
Instruction Fuzzy Hash: 69119E715093809FDB11CF15DD85B56FFE8EF46220F0984EAED858F262D279A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 061C1B9A Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 061C1BE6

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 703c914e74a49b473d1d8a76eb9d8e2c349cf90b74ef08a034440841d0a8508c
Instruction ID: b423c3bd78543419621211af9e31afe41a84d65e73fff7e5fae4ee6689329395
Opcode Fuzzy Hash: 703c914e74a49b473d1d8a76eb9d8e2c349cf90b74ef08a034440841d0a8508c
Instruction Fuzzy Hash: BD117071504604AFEB60CF55D845B66FBF4EF19220F08C8AAED458B612D335E458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 061C00FE Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,A3B420CB,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 061C013E

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: a34d7494a81cb810a816411cecd3d15dd83412616ed35908c067659451b13ca0
Instruction ID: 7f11c7b5a8e80bc8c8438adc778b721bd91384ba65238666999ec5d902438ac9
Opcode Fuzzy Hash: a34d7494a81cb810a816411cecd3d15dd83412616ed35908c067659451b13ca0
Instruction Fuzzy Hash: 60118E71A00204DFEB50CF19D885B66FBE4EF18225F0884AADD498B651D336E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0342AC5A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0342AC97

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 569839c2d2e9702a0f4c3e56ca248fa35c7f53721c85eeaa1d191c93d61464ea
Instruction ID: d907653466d3455af9a4748e063b98ca999808d972c015f0cf43d45b71216f58
Opcode Fuzzy Hash: 569839c2d2e9702a0f4c3e56ca248fa35c7f53721c85eeaa1d191c93d61464ea
Instruction Fuzzy Hash: C901D2716002408FEB10CF1AD885766FBE8EF04220F08C4ABDD45DF742D675D408DA66

Uniqueness

Uniqueness Score: -1.00%

Function 061C21F6 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 061C2246

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: e6e95677f4e5bd8385694d29ada0b443209837020206ec09fb04a6267908feaa
Instruction ID: e2a3f3ed47ee5fdbcdb4adfaf38fa227baa73b7770f9e7e14e0bcf9a44d6370c
Opcode Fuzzy Hash: e6e95677f4e5bd8385694d29ada0b443209837020206ec09fb04a6267908feaa
Instruction Fuzzy Hash: 91017171A00200AFD310DF16DD46B66FBE8FB88A20F14856AED089BB41D735B955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0342A172 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,00000E24,?,?), ref: 0342A1C2

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 423ba41d188554db0112ac5ec925b682375941a4ac771c9a0ac8296d08f1df93
Instruction ID: 356a929162456399eb5b46f64c9be65c27b7d3e6162e746430558894dd0a58f6
Opcode Fuzzy Hash: 423ba41d188554db0112ac5ec925b682375941a4ac771c9a0ac8296d08f1df93
Instruction Fuzzy Hash: DE017171A00200AFD310DF16DD46B66FBE8FB88A20F14856AED089BB41D735B955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 061C026A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061C02AE

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de878fa3eb5011e302992dcb78931530caadb9c279f96fb87c98262c7c0dacb1
Instruction ID: 8dfd06aba620a297527fa2471e2a31b56d4d654c9f3b6ac46f08f1aa82c2255c
Opcode Fuzzy Hash: de878fa3eb5011e302992dcb78931530caadb9c279f96fb87c98262c7c0dacb1
Instruction Fuzzy Hash: C401AD32900600DFEB608F55D844B66FBE0EF58321F08889EDE894A612C336E418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 061C0DE2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 061C0E32

Memory Dump Source

Source File: 00000001.00000002.4104664583.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61c0000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 80b492755d4fbbcc073f87d14c585ef571670f106b2ad2b4ba4dd5bbe632cf0a
Instruction ID: 0ae612468b37342cba41ce9b45b36fee3e36ab81e9cd7449acd5b3a257c97044
Opcode Fuzzy Hash: 80b492755d4fbbcc073f87d14c585ef571670f106b2ad2b4ba4dd5bbe632cf0a
Instruction Fuzzy Hash: C101A271500200ABD210DF16DD46B66FBE8FB88A20F14811AEC089BB41D771F955CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0342A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0342A780

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4807e185154f48d24c88d98985feb6e26471be81ae6d6101ba84e2d8c01b98db
Instruction ID: b17d9078f24826cb9e835b8c626c2902ad30c2c8c3081c10bf268e4a5addae70
Opcode Fuzzy Hash: 4807e185154f48d24c88d98985feb6e26471be81ae6d6101ba84e2d8c01b98db
Instruction Fuzzy Hash: BE01F275A006008FEB10CF15D985766FFE8DF45220F08C4ABDD499F742D675E408CEAA

Uniqueness

Uniqueness Score: -1.00%

Function 0342BC72 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0342BCA4

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 28dd1ab13c302de0b5bdabc1f1cfc97408fc364aaba8d7b5852e2b5946f6daf2
Instruction ID: 22115b9fe39df5467950b728e3c06bc5b49dbadf1529c032a39835a22d099d74
Opcode Fuzzy Hash: 28dd1ab13c302de0b5bdabc1f1cfc97408fc364aaba8d7b5852e2b5946f6daf2
Instruction Fuzzy Hash: 8101DF756042048FDB10CF16E985766FBE8EF55220F08C4ABDD499F742C675E408CA76

Uniqueness

Uniqueness Score: -1.00%

Function 0342AA06 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0342AA3B

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 829a19e7a2cf4c523ee4502d993312e9d70f4e75891e909bc3ff4518ff955363
Instruction ID: e25e9cfc5b6f933fdfc6d05ca3e68a382c94010b6c19b4305a32c667deeac18a
Opcode Fuzzy Hash: 829a19e7a2cf4c523ee4502d993312e9d70f4e75891e909bc3ff4518ff955363
Instruction Fuzzy Hash: E901DF719002809FDB20CF05D984766FFE4EF04620F08C8ABDD499F302D275E508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 0342B1CA Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0342B1FC

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9cb10587d4210af30bc790016d004b28e186d7e88776065ad65b7b46edc3e708
Instruction ID: 7fd4c70a4725b22845da818bf4cfdebb4b8bb7b58d0531de8695f551eb6ccae8
Opcode Fuzzy Hash: 9cb10587d4210af30bc790016d004b28e186d7e88776065ad65b7b46edc3e708
Instruction Fuzzy Hash: 2101AD756007008FDB20CF16E889766FBE4EF15220F08C4ABDD059F752D275E848CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0342AAAE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0342AAE0

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: be90fa741ec216dee0a39b5b49085fa808e003d33a164cc37dc9794d12a2cfd3
Instruction ID: 509cac1d959b68da858ae8a2a47da23bc7ed7b337fb971e601448dcb04c7ed1c
Opcode Fuzzy Hash: be90fa741ec216dee0a39b5b49085fa808e003d33a164cc37dc9794d12a2cfd3
Instruction Fuzzy Hash: F401AD71A002409FDB10CF15D989762FFE4EF45220F08C4ABDD499F746D6B9E548CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 0342A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0342A330

Memory Dump Source

Source File: 00000001.00000002.4100505157.000000000342A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_342a000_svchost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3726ef3c763c6d06f9cde93b73092b05b6caf40f4f28b5d8f80c9eb0b9b2ccc7
Instruction ID: b1c1755c083c5f53a8781132f2320bc0c5ab24e89cf7ad31506ec6f450cd258c
Opcode Fuzzy Hash: 3726ef3c763c6d06f9cde93b73092b05b6caf40f4f28b5d8f80c9eb0b9b2ccc7
Instruction Fuzzy Hash: 26F08C759042449FDB20CF09D885B62FFE4EF09624F48C09BDD495F752D675E408CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 05D21510 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

2l, xrefs: 05D21818

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: 2l
API String ID: 0-2574689970
Opcode ID: 039c2ba0993c2ad728ba9ad844913b1753c5eaf2c5a56ce6fe5990181f9acf59
Instruction ID: 5d9efed7cca6b53a6e372582acd1cbdc90e5047fa8c85cebff1169514326e7da
Opcode Fuzzy Hash: 039c2ba0993c2ad728ba9ad844913b1753c5eaf2c5a56ce6fe5990181f9acf59
Instruction Fuzzy Hash: 21A1F135B042209BD714DBB8C984BAD72E3BBD5348F14866AD4129B3D0DF38DC46C762

Uniqueness

Uniqueness Score: -1.00%

Function 05D20B03 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

:@k, xrefs: 05D20B23

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: :@k
API String ID: 0-2277858631
Opcode ID: f058212f1defad11ae2df2c206243d318fa0a575a7d2b93b3e1a0930fc5634db
Instruction ID: 408a875d0576892929341da4a29f816b01145f386b10e714e3073f3dadb8a785
Opcode Fuzzy Hash: f058212f1defad11ae2df2c206243d318fa0a575a7d2b93b3e1a0930fc5634db
Instruction Fuzzy Hash: AE714C39700210CFDB19EB78D455B6D37E2FBD8248B14416AE4069B7A8DF3ADC82DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05D22757 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

:@k, xrefs: 05D22860

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: :@k
API String ID: 0-2277858631
Opcode ID: af308baad1a5c1832f0542602a4694a77ef54becd52766a4e2979cc3e891483d
Instruction ID: 267c3ed31621434b346c698c30512a6388085c2ce73b08cef62e4b29969659da
Opcode Fuzzy Hash: af308baad1a5c1832f0542602a4694a77ef54becd52766a4e2979cc3e891483d
Instruction Fuzzy Hash: A241BF35B002049FCB08DBB5D9516EDBBE7AF94218F14446BE105EB7A0DF389D098B62

Uniqueness

Uniqueness Score: -1.00%

Function 05D22698 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

L.l, xrefs: 05D226B9

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: L.l
API String ID: 0-1469302089
Opcode ID: 630a0d3a347ae02b6592a9fca70b0c4814018cb1aaa9a53acd75547405b83107
Instruction ID: b762fcaaf2fa7412b8b26ca293daea7f84ed4c1879b426ca2f6669bdd805b048
Opcode Fuzzy Hash: 630a0d3a347ae02b6592a9fca70b0c4814018cb1aaa9a53acd75547405b83107
Instruction Fuzzy Hash: 49119339F042189BDB04EA76D841BFE76E6BF9D200F14842AE506BF280DA719C008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 05D20E55 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

\Ol, xrefs: 05D20EB9

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID: \Ol
API String ID: 0-1319056321
Opcode ID: ea48b9235217d3fecb574b7e138d1ab201224469d9628dac04d551a63520ffe7
Instruction ID: 7ab0c5d1273892ce425c1692337fa62a81ba62a4d9130334497e11abf2e99163
Opcode Fuzzy Hash: ea48b9235217d3fecb574b7e138d1ab201224469d9628dac04d551a63520ffe7
Instruction Fuzzy Hash: FC216A35B100149FCB08DBB8E494AADB3F3BFC8208B1481AAE406AB361CF359C05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D223C9 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b122a93894d4d3190c2af2c70035e30746b785aa813674cb8c02bf73da2d8bc7
Instruction ID: b61b2c802dac028278933e9c9d3248f4c7ceaa5769f20174309d474f41a130cf
Opcode Fuzzy Hash: b122a93894d4d3190c2af2c70035e30746b785aa813674cb8c02bf73da2d8bc7
Instruction Fuzzy Hash: CE61CD7AD041308BDB28567CC4653ED7262BBA534AF15847FE853B7290DB29CC81DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 05D205DA Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d1371a70d8206cbd90f91aef15447ee2812e628df0c9dade564fdba928e5e8
Instruction ID: 9def75f56e4451e2f9fc97ffa77542482395e7cfeee011ab245b351ecb7fd185
Opcode Fuzzy Hash: e1d1371a70d8206cbd90f91aef15447ee2812e628df0c9dade564fdba928e5e8
Instruction Fuzzy Hash: A8611939B00211CFDB199F39D45866D77E2FBC8249B1441AAE8029B3A5DF3DDC82DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05D20BA8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0594253aea6d6a23b37ab575405e29f8564fddc3a6bd8ee4ba76a45459b0c1
Instruction ID: 99c39f641fbb1ffc941d0f97750bf32e52ec6a2436c71b06c596166e31b0e7ed
Opcode Fuzzy Hash: ef0594253aea6d6a23b37ab575405e29f8564fddc3a6bd8ee4ba76a45459b0c1
Instruction Fuzzy Hash: 04514C39B00210CFD719DB78E45566D77E2FBC9208B14416AE4059B7A8DB3EDC82DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05D214FF Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bf7f79d4df6d7594ed9475ab2dee647c631b8712a2acc95d2cbfc96d20dd6b
Instruction ID: 414d40667f3e130a85db75923ac33477b51b97362e47f8739d50ca21fee2c5d9
Opcode Fuzzy Hash: 30bf7f79d4df6d7594ed9475ab2dee647c631b8712a2acc95d2cbfc96d20dd6b
Instruction Fuzzy Hash: 0651DF34A042219BD714CF7AD9447A977E3BB95359F5881AAE402EB2D0EF38CD46CB31

Uniqueness

Uniqueness Score: -1.00%

Function 05D20634 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1620e72a2e735af627fd73224efc2eb009ff495522081a2c49d540488bc7dcaa
Instruction ID: 7a521fdc0f3349a4897e8029d0424b5febf2433b4374f74e6cf279a9bdd553de
Opcode Fuzzy Hash: 1620e72a2e735af627fd73224efc2eb009ff495522081a2c49d540488bc7dcaa
Instruction Fuzzy Hash: 02510B39B00211CFCB099F38D45966977E2FBC824971441AAE8029B3A5DF3EDC82DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05D218E0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991480395fc96bf6c60b2d4c9646619e551d9b27b85c0ad9918a540fe35bbe2f
Instruction ID: 0f05f4d0f3119c79bbd510cdfdbe6b04394e3410806de2e41087dcdce676ff37
Opcode Fuzzy Hash: 991480395fc96bf6c60b2d4c9646619e551d9b27b85c0ad9918a540fe35bbe2f
Instruction Fuzzy Hash: A741C134A042219BD714DF7AD9447B836E3BB95359F5881AAE402EB2D0DF38CD46CB31

Uniqueness

Uniqueness Score: -1.00%

Function 05D20080 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24beaaefd9a0bbcb74d83b27eb8ff24a2950a71b9bf527b885014912eb83534
Instruction ID: d0379287a870aff2c1d7bc1df652ffca9d02cc18ca03c2b78354ad1501ae836f
Opcode Fuzzy Hash: a24beaaefd9a0bbcb74d83b27eb8ff24a2950a71b9bf527b885014912eb83534
Instruction Fuzzy Hash: F9513538601646CBD708EF38E58859977F2FBE1248740856AE0444B76DDF389C8ADBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05D20C22 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86dc343cf3f1c2153781395e9106a21bdbda697f15ea2196a6fcd618a92d163
Instruction ID: 177e079c0b0ed1f63ee6958654e0adcda7a31070bee2efe4a57a6794fe674e9f
Opcode Fuzzy Hash: e86dc343cf3f1c2153781395e9106a21bdbda697f15ea2196a6fcd618a92d163
Instruction Fuzzy Hash: BB415E38B00210CFDB19EB78E4557AD77E2FBC8208B14416AE4159B7A8DF39DC82DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05D21238 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43400ade54418e07c82925515f61e217d6a2f56e46a9f1eb2b2cb16a795f95ce
Instruction ID: c32f3af893245088da65ee442d3fad80e0b184b6ea42c31238fc96e8a260b6f0
Opcode Fuzzy Hash: 43400ade54418e07c82925515f61e217d6a2f56e46a9f1eb2b2cb16a795f95ce
Instruction Fuzzy Hash: C3418036B002118FCB04EF74D9845ADB7E6AF94208B08807AD809DB399EF38DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D2122B Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1fe46581991fd038b39322c6dd0b819fbbf7233693d2230202fff1db93be04
Instruction ID: 1b4d2f6c506e2c43a001495fc96f2244d38f650c0a94fb5c5cf00c69e1d6446e
Opcode Fuzzy Hash: ea1fe46581991fd038b39322c6dd0b819fbbf7233693d2230202fff1db93be04
Instruction Fuzzy Hash: 70314035A002118FCB04DF74D9855AE77E6EF98204B58817A9805DF399DB38DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D20C8D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff3c0134b5d8ef2ea4888e4c983f75b33c49752923cd11520eb1e4663850d84
Instruction ID: e0f8df766ae704bd0ef5150c743c509b97a80ab45e557af9737da28e18a0e689
Opcode Fuzzy Hash: bff3c0134b5d8ef2ea4888e4c983f75b33c49752923cd11520eb1e4663850d84
Instruction Fuzzy Hash: 9A318F38B042208BDB18EB78E8557AC77E2FBC4208B14416AE459DB794DF39DC45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03601339 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4101003933.0000000003601000.00000040.00000020.00020000.00000000.sdmp, Offset: 03601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3601000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab379fd07647769d9b4af3d33e9c018a281dd8eec4448bbfd05e76bf17014ae9
Instruction ID: 562fe2b79f08204dcacf8072bde5e80ecf40522094ea8910fd0f70b02bb6276d
Opcode Fuzzy Hash: ab379fd07647769d9b4af3d33e9c018a281dd8eec4448bbfd05e76bf17014ae9
Instruction Fuzzy Hash: 6721393510D3C08FC717CB60D961A52BFB1AF47214F2D85DED4858B6A3D23AA816D752

Uniqueness

Uniqueness Score: -1.00%

Function 05D20D40 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af59f3ea2db60783390003056aa0d50966e51c06bceb3b70ea72361d208dd64
Instruction ID: 25dd63af41a4f5103360065dc444ec301f0bbb2b23f8f7492a3e9469a71cf435
Opcode Fuzzy Hash: 8af59f3ea2db60783390003056aa0d50966e51c06bceb3b70ea72361d208dd64
Instruction Fuzzy Hash: F111AF38B01260CFDB14EF79E4556AC77F2FBC4218B54846AE055DB398DB39C881CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05D20773 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1b3940a3d4d2e639670373226f424c21ee2cab03b47eee1df428ef8de467e
Instruction ID: b5e3294c037025079a231a409062e9fa5c9e474620ac43bc91f293b3c18ed77a
Opcode Fuzzy Hash: c8c1b3940a3d4d2e639670373226f424c21ee2cab03b47eee1df428ef8de467e
Instruction Fuzzy Hash: 9F211A39B00211CFCB099F38D45966D73A3FBC924871541AAE902973A5DF3EEC82DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0360139C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4101003933.0000000003601000.00000040.00000020.00020000.00000000.sdmp, Offset: 03601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3601000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762b72e8381c88d54846dd8bee30e5cd68ccc7b815e7fa514e6040c8ce8275f9
Instruction ID: d7ff3717325d1f4909ca176db53ee728b68a3f0c0c9f615a743705638d97f79a
Opcode Fuzzy Hash: 762b72e8381c88d54846dd8bee30e5cd68ccc7b815e7fa514e6040c8ce8275f9
Instruction Fuzzy Hash: 1311D639204280DFC719CB50D581B27FBE5EB9A708F28C99CE5494BB92C777D813CA52

Uniqueness

Uniqueness Score: -1.00%

Function 0360136F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4101003933.0000000003601000.00000040.00000020.00020000.00000000.sdmp, Offset: 03601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3601000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47de42a85da4aa0d9ba7cfa7e1b83b618c145e4885af44718506569b8d6fa157
Instruction ID: a13a1d0aeba4247ed8df179b37ea4a2dd5b662091a322af391a2c1a6fe82c959
Opcode Fuzzy Hash: 47de42a85da4aa0d9ba7cfa7e1b83b618c145e4885af44718506569b8d6fa157
Instruction Fuzzy Hash: 66215B351093C49FC716CB50D951B11BFB5AF8B204F1D86DAD4848BAA3C33AA816CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05D22940 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2794ef14cf627fbaf3ad48281533a1622ae5a99b98bc3ea64c7a17cc68a72eb4
Instruction ID: a5b83034c3e874cc73a26bcbb93e03a1982219a02b589e78a550d20139911a56
Opcode Fuzzy Hash: 2794ef14cf627fbaf3ad48281533a1622ae5a99b98bc3ea64c7a17cc68a72eb4
Instruction Fuzzy Hash: 0101D23AE002249B9F00EB75DC045EE73F4EF99254B0004A6E402FB304EB29DE0487B1

Uniqueness

Uniqueness Score: -1.00%

Function 05D20007 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d26597e1c4edd58beb6a8322399a89fde159c5fc5766f1dd6a77f84337712f
Instruction ID: c6483e159817165b34759759ff5a81d515f1190882d686db1030539ce7c8fb84
Opcode Fuzzy Hash: a7d26597e1c4edd58beb6a8322399a89fde159c5fc5766f1dd6a77f84337712f
Instruction Fuzzy Hash: FB016D6A04E3C04FDB439774A8A26903F709A1726070F05C7D481CF5A7D559594EDB72

Uniqueness

Uniqueness Score: -1.00%

Function 03601048 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4101003933.0000000003601000.00000040.00000020.00020000.00000000.sdmp, Offset: 03601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3601000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149fb64218ebf5c719301cc827afe5396ef11ad822c3b0415e426f537a496e81
Instruction ID: 4c2d05323935c452be4f8cf4580f3e34641d64711e043f54e52becd39af770ae
Opcode Fuzzy Hash: 149fb64218ebf5c719301cc827afe5396ef11ad822c3b0415e426f537a496e81
Instruction Fuzzy Hash: 110186B65497806FC7128B56AC51893BFF8DF8623070A84EBEC49CB712D165BD09CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05D20D98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87b319ee0f7c85f54d3f14d1d46e8b102d8f2600d96b2cdee31bbab268cc577
Instruction ID: cc2f3a5348252bbe880769d6304a16a8a565c724dbaf653ea9cdc118f6f40edd
Opcode Fuzzy Hash: c87b319ee0f7c85f54d3f14d1d46e8b102d8f2600d96b2cdee31bbab268cc577
Instruction Fuzzy Hash: 69011A34A01254CFDB18EF79E0945ACB7F2FF88219B50846AE415AB355DB39C985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D20889 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0506d2ab8e9367584fd338ed2eb20088e18616309612582baa1d3fe18e346e52
Instruction ID: 2850c0b935f0dfe16b6127b44bbadddf49557bba484a2bd58b508e6b76b0f02f
Opcode Fuzzy Hash: 0506d2ab8e9367584fd338ed2eb20088e18616309612582baa1d3fe18e346e52
Instruction Fuzzy Hash: 74012938A05307AFC704FB78D09855DBBE1EB9A208B418C2EE5459F358DF7988489B57

Uniqueness

Uniqueness Score: -1.00%

Function 05D22930 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49a8e9414f301a1df93525b597c63bef1b4b4d7ca4b8dc0a083a1808a593c87
Instruction ID: 2b9085355d91b6537f161c7740b09d6d4076315f6bc7002e1c15d825c8c7a4d7
Opcode Fuzzy Hash: c49a8e9414f301a1df93525b597c63bef1b4b4d7ca4b8dc0a083a1808a593c87
Instruction Fuzzy Hash: EAE0E539904225ABDB10D97AAC855967BE4E748390F800462E901E7240DB24DD198AF1

Uniqueness

Uniqueness Score: -1.00%

Function 03601458 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4101003933.0000000003601000.00000040.00000020.00020000.00000000.sdmp, Offset: 03601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3601000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction ID: 2ec423461dad0e32966a5289b0b5e9b94c779c611e76ab4a48a576e36fe1dfd8
Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
Instruction Fuzzy Hash: 69F01D39104644DFC305CF50D581B16FBA6EB89718F28CAADE94907B62C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0360106E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4101003933.0000000003601000.00000040.00000020.00020000.00000000.sdmp, Offset: 03601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3601000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62ec134804ade001421513ad7c130627049bb8576f6e6514a339492730fcffe
Instruction ID: 86d0e28e54c2d83df66cb38b23964f55443006d2af7bee773dcf2ea7f8784f26
Opcode Fuzzy Hash: d62ec134804ade001421513ad7c130627049bb8576f6e6514a339492730fcffe
Instruction Fuzzy Hash: CDE06DB66006044B9750CF0AEC41452F7D8EB88630708C47BDC0D8B701D235B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 05D21451 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4104311908.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5d20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d24c071d2dc039b3d0e596ed969dce9774869df1addcaa4f69559bb28be035
Instruction ID: 9ab15198f7e21bba6c0eacb13407bb69d1064bdfdeb72dbc26801fdf66898246
Opcode Fuzzy Hash: a9d24c071d2dc039b3d0e596ed969dce9774869df1addcaa4f69559bb28be035
Instruction Fuzzy Hash: BBD097313041655FCF04A23CF4483883BA8CBC5210B09092BE000EF344CFE08C0583EE

Uniqueness

Uniqueness Score: -1.00%

Function 034223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4100486935.0000000003422000.00000040.00000800.00020000.00000000.sdmp, Offset: 03422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3422000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04017134f9e691b0dda1d1b767b2a7c3e447814ec4645091d7555205becf6404
Instruction ID: 3d4e3b79901d7fed337b059df9f30cf610e2beb9297f608f1a9d3cb51a7c455b
Opcode Fuzzy Hash: 04017134f9e691b0dda1d1b767b2a7c3e447814ec4645091d7555205becf6404
Instruction Fuzzy Hash: 29D05E792056E14FD316DA1CC1A4B967BD8AB61714F8A48FAAC009F763C7A8D581D610

Uniqueness

Uniqueness Score: -1.00%

Function 034223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4100486935.0000000003422000.00000040.00000800.00020000.00000000.sdmp, Offset: 03422000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3422000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2009e3819e8ad92c3975e3baf8a818ba343002302a5d0519abc1b1ba335f41a
Instruction ID: f271b2397c6f96dd0f70225db9bac0d0ddac37f1545c44bb95a936a317a422f8
Opcode Fuzzy Hash: c2009e3819e8ad92c3975e3baf8a818ba343002302a5d0519abc1b1ba335f41a
Instruction Fuzzy Hash: 7AD05E342002814BC759DA1CC6D4F5A7BD8AF50B14F1A48E9AC10CF762C7A4D8C1CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 7972, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05510319 Relevance: 3.9, Strings: 3, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 05510554
2l, xrefs: 055104E9
2l, xrefs: 0551048B

Memory Dump Source

Source File: 00000006.00000002.1936443779.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5510000_svchost.jbxd

Similarity

API ID:
String ID: 2l$2l$2l
API String ID: 0-1498361692
Opcode ID: a8fecdf6d6960d9b935fc5b44620f47181d65ad9d2f6a2a947042a2225388310
Instruction ID: 2b5787423c15cf2b0965f819cfbf59b1ace12f5ab2f17c6eb58e94ad37620b0c
Opcode Fuzzy Hash: a8fecdf6d6960d9b935fc5b44620f47181d65ad9d2f6a2a947042a2225388310
Instruction Fuzzy Hash: 45513734B041518BDB18DB3880586BD77D7AFCA304B1556AAD406CB3E1DF39DC4A97E2

Uniqueness

Uniqueness Score: -1.00%

Function 05510368 Relevance: 3.9, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 05510554
2l, xrefs: 055104E9
2l, xrefs: 0551048B

Memory Dump Source

Source File: 00000006.00000002.1936443779.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5510000_svchost.jbxd

Similarity

API ID:
String ID: 2l$2l$2l
API String ID: 0-1498361692
Opcode ID: 1199466c6b1fba94917a7614ff6beb3a3effc4e8d614b74f041b02d43e9a4d2e
Instruction ID: 720def39d0610f0f1536f58dfc723fe102b21338342938ee70c92ff930aa5185
Opcode Fuzzy Hash: 1199466c6b1fba94917a7614ff6beb3a3effc4e8d614b74f041b02d43e9a4d2e
Instruction Fuzzy Hash: 27510334B001118BDB18AB7580196BE36DBAFC9304B455669E806DB3E0DF39DD4A9BF2

Uniqueness

Uniqueness Score: -1.00%

Function 055103BD Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 05510554
2l, xrefs: 055104E9
2l, xrefs: 0551048B

Memory Dump Source

Source File: 00000006.00000002.1936443779.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5510000_svchost.jbxd

Similarity

API ID:
String ID: 2l$2l$2l
API String ID: 0-1498361692
Opcode ID: d299d6a236d26605cfd6293d11550f81adc864e86d55f2cfab8383b5879233fa
Instruction ID: da52e753eb33b9ff26d0ea993e8484368c0d06544a2b343b9f21a7b0aca91736
Opcode Fuzzy Hash: d299d6a236d26605cfd6293d11550f81adc864e86d55f2cfab8383b5879233fa
Instruction Fuzzy Hash: 53412434B001118BDB08AB7580193BE36D7AFD9208B055669D406DB7D0DF28DD4AA7F3

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02C1A6B9

Memory Dump Source

Source File: 00000006.00000002.1936119158.0000000002C1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c1a000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 84571ea4f111e1a35668d50733a108747d8d84ab1cbf76270e7c988678906ff7
Instruction ID: 12ff3aacef350f3a84461e3b362291fa380dfc92b2ac3a79401ae59a3ef4dae0
Opcode Fuzzy Hash: 84571ea4f111e1a35668d50733a108747d8d84ab1cbf76270e7c988678906ff7
Instruction Fuzzy Hash: 6431B3715093805FE712CB65CD95B96BFF8EF06214F08849AE984CF292D375E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,86EA90AE,00000000,00000000,00000000,00000000), ref: 02C1A40C

Memory Dump Source

Source File: 00000006.00000002.1936119158.0000000002C1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c1a000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 96d63eccd118359266c8fc58d9aecf224bda7ff06dbeb23931e28e5768e90481
Instruction ID: d0d5a1296908e13835d63569f3335a016c3f9cabede22003bb40e2cc8c8c9519
Opcode Fuzzy Hash: 96d63eccd118359266c8fc58d9aecf224bda7ff06dbeb23931e28e5768e90481
Instruction Fuzzy Hash: 5231A575505740AFD721CF15CC85F92BBF8EF46214F08849AE945CB292D324E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,86EA90AE,00000000,00000000,00000000,00000000), ref: 02C1A4F8

Memory Dump Source

Source File: 00000006.00000002.1936119158.0000000002C1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c1a000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ae50844fabb15e55bb3ce24c2724e3accb2b1192fee2d25d9dd1215a0f7ee0cf
Instruction ID: 8af41f4282515f3c8dfb89e5528fc040db9031183c3df83ffa5cbf2c37104f10
Opcode Fuzzy Hash: ae50844fabb15e55bb3ce24c2724e3accb2b1192fee2d25d9dd1215a0f7ee0cf
Instruction Fuzzy Hash: C621C472509780AFD7228F11CC45FA3BFB8EF46210F08849AE985CB652D364E548C771

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02C1A6B9

Memory Dump Source

Source File: 00000006.00000002.1936119158.0000000002C1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c1a000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 14cdeb67fb183957df57046a2d862071f070c55bda44272c1e7ee46d33e4588a
Instruction ID: f07a6596511e264686f569cd88e4ce2b1d04a6f39bdfa0e6031f52127f4cafdb
Opcode Fuzzy Hash: 14cdeb67fb183957df57046a2d862071f070c55bda44272c1e7ee46d33e4588a
Instruction Fuzzy Hash: 3821A4716012409FE720CF66CD86BA6FBE8EF05214F048469ED49CF741D775E909CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,86EA90AE,00000000,00000000,00000000,00000000), ref: 02C1A40C

Memory Dump Source

Source File: 00000006.00000002.1936119158.0000000002C1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c1a000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b0b99626ffb7e57119300db6033faaf67711b400045987b8ba324aeba298b25d
Instruction ID: 37279f8d984aaccea95c1a0b3ae1dc0cc96d9785a2b32df21067d58354062153
Opcode Fuzzy Hash: b0b99626ffb7e57119300db6033faaf67711b400045987b8ba324aeba298b25d
Instruction Fuzzy Hash: 8C21D275601204AFE720CF15CC86FA2F7ECEF45614F08845AED49CB651D370E948DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 02C1A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,86EA90AE,00000000,00000000,00000000,00000000), ref: 02C1A4F8

Memory Dump Source

Source File: 00000006.00000002.1936119158.0000000002C1A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c1a000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 551053f3ece3feccb07471e00730ffff5bb068d1116d26ea60fe2bf222186ff8
Instruction ID: 7c7d0a6f1200fbfe0d3ba2970437a736681a0f39643f69719471aee045e7c8bb
Opcode Fuzzy Hash: 551053f3ece3feccb07471e00730ffff5bb068d1116d26ea60fe2bf222186ff8
Instruction Fuzzy Hash: 7311D376600600AFE7218E15CD46FA7FBECEF55614F08845AED45CA641D370E548DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05510080 Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1936443779.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5510000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd560da50873d27fafa85c290fa6071498df85ef216a550d9ab70c3a5406a1b2
Instruction ID: 932d169f52b570bb60f6aee07cd6b9445d2500619ba628b35e510030f0e5a8ad
Opcode Fuzzy Hash: cd560da50873d27fafa85c290fa6071498df85ef216a550d9ab70c3a5406a1b2
Instruction Fuzzy Hash: A75178346115458FC704DB34E5489EA77F6FBE9348B40A6A9E0044B269DF3C7C5ECB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E01047 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1936289073.0000000002E01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e01000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9bab9eacdedb0c35a974a18a4c199126993bef9b1f29f3d2b656b2574bce0c
Instruction ID: 3f328b74ac749564e547c459bbfae6d6a9ba906a5aebd0b184f1b778c1a522c1
Opcode Fuzzy Hash: 2a9bab9eacdedb0c35a974a18a4c199126993bef9b1f29f3d2b656b2574bce0c
Instruction Fuzzy Hash: CF01A2755497805FC3118B16AC50893BFF8EF8723070985ABEC498B662D229B919CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02E0106E Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1936289073.0000000002E01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e01000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d1da815f1ca084c676ca1b0666de16a5da2c1a1aea5eefb89fdcfafd9ad67e
Instruction ID: dd4ac05f95676a9e10725691d13c11b53182e41ac9e54b58a1a509cd6b73f87d
Opcode Fuzzy Hash: d9d1da815f1ca084c676ca1b0666de16a5da2c1a1aea5eefb89fdcfafd9ad67e
Instruction Fuzzy Hash: B7E092B66046048B9750CF0AEC81452F7D8EB84630708C07FDC0D8BB01E276F508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C123F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1936106626.0000000002C12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c12000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c082b876c8bd593cd31225d9b5bb2d220112643700134b0f4fc60c29df4f5db
Instruction ID: 34424e53ae37fe5a086b8c403bac2389f49e8705cef8b1aaad6de1526604f0d0
Opcode Fuzzy Hash: 7c082b876c8bd593cd31225d9b5bb2d220112643700134b0f4fc60c29df4f5db
Instruction Fuzzy Hash: 19D05EB92056D14FD3169A1CC1A6B9537D8ABA2718F4A44F9AC008B763C768E681E601

Uniqueness

Uniqueness Score: -1.00%

Function 02C123BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1936106626.0000000002C12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c12000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c596792ef55bd80078ea1c8a48c00ebc4db1cd0cb411c62f6cac056b7997666
Instruction ID: 9fdbb4125c0e7176e3f1c46d28d9374d408971478ace2366ddb60cbf892c18f4
Opcode Fuzzy Hash: 2c596792ef55bd80078ea1c8a48c00ebc4db1cd0cb411c62f6cac056b7997666
Instruction Fuzzy Hash: EFD05E382002814FC715DA0CC6D5F9937D8AB91B18F5A44E8AC108B762C7A4D9C1EA01

Uniqueness

Uniqueness Score: -1.00%

Function 0551006A Relevance: .0, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1936443779.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5510000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39e48f18ad849e3ce88d3df09c8252815fc3a6b826e19e5620f6555318e2dac
Instruction ID: 148f7cf6094a581eba774c861599d87624cb484585e4745132068379af038669
Opcode Fuzzy Hash: a39e48f18ad849e3ce88d3df09c8252815fc3a6b826e19e5620f6555318e2dac
Instruction Fuzzy Hash: D59002A1C90094C78D109694A90974E3728AA8061132746D59105C3900DE2CA0198571

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 8180, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05480310 Relevance: 3.9, Strings: 3, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 0548048B
2l, xrefs: 05480554
2l, xrefs: 054804E9

Memory Dump Source

Source File: 00000009.00000002.2021884021.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5480000_svchost.jbxd

Similarity

API ID:
String ID: 2l$2l$2l
API String ID: 0-1498361692
Opcode ID: 018e278f648425db81a874b1571e0c07508141a7bd56a4446f620c94cf11a0c4
Instruction ID: 48d6c952df1c63efd094442a2e82bb12f317218ca39e4b20f738204a8f9eeb27
Opcode Fuzzy Hash: 018e278f648425db81a874b1571e0c07508141a7bd56a4446f620c94cf11a0c4
Instruction Fuzzy Hash: 505102307002118FDB18EB7994196BF76E7AFD5304B0444AAE406DB7D5DF79DC0A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 054803BD Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2l, xrefs: 0548048B
2l, xrefs: 05480554
2l, xrefs: 054804E9

Memory Dump Source

Source File: 00000009.00000002.2021884021.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5480000_svchost.jbxd

Similarity

API ID:
String ID: 2l$2l$2l
API String ID: 0-1498361692
Opcode ID: a0366772c2daa13746eecce9a4dbf0c368ae2b5052fe3dff6d497c33417c28f4
Instruction ID: d5d9eb1cba9d1f4024601c87b37c3179f3f1b18bfd66f82e7411b20679717778
Opcode Fuzzy Hash: a0366772c2daa13746eecce9a4dbf0c368ae2b5052fe3dff6d497c33417c28f4
Instruction Fuzzy Hash: E341F230B402218B8B18BB7990187BE72D79FD564870844AEE406DB7D5DF79CD0A9BE3

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02A4A6B9

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ee9cd00830e39109986de3c6c6a3ef98003aded2daa8f7733ef1143cb83d2bb4
Instruction ID: 9ca66e661ee9ec2b800da3d5501dd4188796d6975072b5006a6f69a51ab6477e
Opcode Fuzzy Hash: ee9cd00830e39109986de3c6c6a3ef98003aded2daa8f7733ef1143cb83d2bb4
Instruction Fuzzy Hash: 8231B0715093806FE711CB25CC95B96BFF8EF06210F08849AE988CF293D764E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,B6D09D9A,00000000,00000000,00000000,00000000), ref: 02A4A40C

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5ab722dfafe1cf08dc170f467312c13b26d170f5cee8c1fad4faabc532aa5fff
Instruction ID: 027d7f77700f00bf2d2d7fbdf90dc29658d267e14096707745e804601c03149d
Opcode Fuzzy Hash: 5ab722dfafe1cf08dc170f467312c13b26d170f5cee8c1fad4faabc532aa5fff
Instruction Fuzzy Hash: 4A31BF75505780AFE722CF15CC94F92BBF8EF46214F08849AE985CB293D724E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,B6D09D9A,00000000,00000000,00000000,00000000), ref: 02A4A4F8

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a908f78c882ce3d614b1fea893b0cf24108b668e4b7ef0ebb85c951f0247ec44
Instruction ID: abc3a0d11ba7970e8400f852ff3ebac3c2a096a3d059576c6786f612c3530b44
Opcode Fuzzy Hash: a908f78c882ce3d614b1fea893b0cf24108b668e4b7ef0ebb85c951f0247ec44
Instruction Fuzzy Hash: 4221C4725443806FD7228F11CC94FA7BFB8EF46210F08849AE985CB652C764E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02A4A6B9

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4da6cd0197a6008b89661cf4c73c3d0d943ac31be1b674ab7fd5acfb2e04c614
Instruction ID: 8e4c282787b439fd5cb4912d8446cf35fe04196d406c8e5c5da4d20226169938
Opcode Fuzzy Hash: 4da6cd0197a6008b89661cf4c73c3d0d943ac31be1b674ab7fd5acfb2e04c614
Instruction Fuzzy Hash: B721CF71600200AFE720CF65CD95BA6FBE8EF45224F04846AED48CF742DB75E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A710 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02A4A780

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c685cf7a3be85b15c03c69153cece23d09064389d293f557ef4b510d494cb83d
Instruction ID: e069d93d24eba4a48356da5b1a745ffd0afbb6280cbbb6967d945224ba4a7417
Opcode Fuzzy Hash: c685cf7a3be85b15c03c69153cece23d09064389d293f557ef4b510d494cb83d
Instruction Fuzzy Hash: A42105B55093809FDB128F25DC95792BFB4EF43220F0880EBDD858F653D2359909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,B6D09D9A,00000000,00000000,00000000,00000000), ref: 02A4A40C

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f20a5d6868df35eeda972a4d26e4eb723bc8158f2f455472ef6e438a091069da
Instruction ID: 6e6296ac7fb13b1d95c1512b413c300ff43ef5728a5974427693d9815d022911
Opcode Fuzzy Hash: f20a5d6868df35eeda972a4d26e4eb723bc8158f2f455472ef6e438a091069da
Instruction Fuzzy Hash: 4C218E75640604AFE720CF15CC84FA6B7ECEF54614F08845AED46CB652DB60E949CA72

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,B6D09D9A,00000000,00000000,00000000,00000000), ref: 02A4A4F8

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 46dcb0196e6d8d4bd8ab94dc8c4a4dae21c6564c0c2bc3d5666c2ef82777d585
Instruction ID: c32bacd72385c6f4582b824a93198a35acb76a93413c92195f84021ddf12a574
Opcode Fuzzy Hash: 46dcb0196e6d8d4bd8ab94dc8c4a4dae21c6564c0c2bc3d5666c2ef82777d585
Instruction Fuzzy Hash: 2A11D3B2640600AFE7208F15CD85FA7FBECEF44614F08845AED49CB642DB70E548CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A74E Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02A4A780

Memory Dump Source

Source File: 00000009.00000002.2021378519.0000000002A4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a4a000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ed9eda30427010f377f43baa00ff87d0b91a3469d3ffe6bae26d3405ccfedc6b
Instruction ID: 1223c836ef536ae776541490d2c22e424c51a31fa27cb31ca3592e64a8766dbe
Opcode Fuzzy Hash: ed9eda30427010f377f43baa00ff87d0b91a3469d3ffe6bae26d3405ccfedc6b
Instruction Fuzzy Hash: 0E01BC75A40200DFEB208F25D895B66FBA4EF45220F08C4AADD49CB642DA75E408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05480006 Relevance: .2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2021884021.0000000005480000.00000040.00000800.00020000.00000000.sdmp, Offset: 05480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5480000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6697b831ed6785b049b50229e12230c069916e2107ce70834e1a7145c686de70
Instruction ID: d7d14c666908e4b73f208a094815e5dc7d2737b99890baaf2b34dc5f9882b38d
Opcode Fuzzy Hash: 6697b831ed6785b049b50229e12230c069916e2107ce70834e1a7145c686de70
Instruction Fuzzy Hash: 3771803070A3858FC705DB78F55959E7BB1EFB220870584AED0448B2A7DF789C1ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02C01048 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2021589264.0000000002C01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c01000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f726f89b8c24fcfd6ecbb8db320755164cd60a476e9a053b7281b05b18deca85
Instruction ID: 09269d6a87f8e92a2a0a3535505d66caaf148a7ef01951bd26819776e78ab501
Opcode Fuzzy Hash: f726f89b8c24fcfd6ecbb8db320755164cd60a476e9a053b7281b05b18deca85
Instruction Fuzzy Hash: 030167765497805FD7118B159C40862FFB8EF86520709C49BE8498B652D165A809C772

Uniqueness

Uniqueness Score: -1.00%

Function 02C0106E Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2021589264.0000000002C01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c01000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87257cb15d96427ead63e896a93ee603033d414785aa31e7aabcb4cd5cb22ac6
Instruction ID: da68a024787472502abf7e076712aa069895a69045d347aefc74d983eed0e5ff
Opcode Fuzzy Hash: 87257cb15d96427ead63e896a93ee603033d414785aa31e7aabcb4cd5cb22ac6
Instruction Fuzzy Hash: 05E092B66406005B9750DF0AEC41452F7D8EB84630708C07FDC0D8BB01D275F508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A423F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2021365357.0000000002A42000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A42000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a42000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635d181c98b11135bb5610f7794a4cc39b16f1d98bbe0a7a5fc2b4b065d1a4dc
Instruction ID: 7797deff7d3d80eb27abf23fef0f514d8f95b653400a64b29fb5a82f61b9745d
Opcode Fuzzy Hash: 635d181c98b11135bb5610f7794a4cc39b16f1d98bbe0a7a5fc2b4b065d1a4dc
Instruction Fuzzy Hash: 88D05E792456C14FD3169B1CC1A8BA537D8ABA1718F8A44F9AC008BBA3CF68D581D600

Uniqueness

Uniqueness Score: -1.00%

Function 02A423BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2021365357.0000000002A42000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A42000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a42000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c043e4691f9f87293fe537929372c35c3b9b1d9df39096814b85bacbfa2df3
Instruction ID: 4f94e2c7ef991ff6afba110ff31f9923534d69a43fc33a62ae90dce62990e8a5
Opcode Fuzzy Hash: c7c043e4691f9f87293fe537929372c35c3b9b1d9df39096814b85bacbfa2df3
Instruction Fuzzy Hash: F6D05E342002814BD715DB0CC6D4F5937E8AB90B18F1A44E8BC108B762CBA4E8C1CA00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exePID: 3548, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	18.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 053E0310 Relevance: 7.7, Strings: 6, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[, xrefs: 053E0477, 053E047C
-[, xrefs: 053E04DA, 053E04DF
2l, xrefs: 053E0554
[, xrefs: 053E0545, 053E054A
2l, xrefs: 053E04E9
2l, xrefs: 053E048B

Memory Dump Source

Source File: 0000000A.00000002.2103657243.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_svchost.jbxd

Similarity

API ID:
String ID: [$-[$2l$2l$2l$=[
API String ID: 0-1850338162
Opcode ID: 712b31b4a60f1708e8361397ccbc9cfab871f75a99a3d869fde80eaa0ba0321a
Instruction ID: 2ad3e2cd3050359867266b1226ccc8572cdaa00183d178aaa358ef0ea0de9ae7
Opcode Fuzzy Hash: 712b31b4a60f1708e8361397ccbc9cfab871f75a99a3d869fde80eaa0ba0321a
Instruction Fuzzy Hash: A2513230B042119FC709DB7AC8556BE3BE7AFC5204B0445AAD406DB3D1CF79DC4A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 053E03BD Relevance: 7.6, Strings: 6, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=[, xrefs: 053E0477, 053E047C
-[, xrefs: 053E04DA, 053E04DF
2l, xrefs: 053E0554
[, xrefs: 053E0545, 053E054A
2l, xrefs: 053E04E9
2l, xrefs: 053E048B

Memory Dump Source

Source File: 0000000A.00000002.2103657243.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_svchost.jbxd

Similarity

API ID:
String ID: [$-[$2l$2l$2l$=[
API String ID: 0-1850338162
Opcode ID: fe523472d49d64e636ede0fadfc34a61ea38b93b34a6f85bb360347babb4f0ce
Instruction ID: ac98f51f035688cf41f35862aae79dc5139c4f022df96fd15ef294381ea6545a
Opcode Fuzzy Hash: fe523472d49d64e636ede0fadfc34a61ea38b93b34a6f85bb360347babb4f0ce
Instruction Fuzzy Hash: 77410030B042258BCB09EB7A84297BE36D79FD5608748446AD406DB7D1DF78CC4A8BE3

Uniqueness

Uniqueness Score: -1.00%

Function 029AA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 029AA6B9

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f1f73bf516bb164b3a0456d8058ed685ca7aebad0490d4e904f8dd311e174eb
Instruction ID: 7b69edac15005a9a80f04af9197a0f12325bca426b3030d0bdce993345de61b6
Opcode Fuzzy Hash: 6f1f73bf516bb164b3a0456d8058ed685ca7aebad0490d4e904f8dd311e174eb
Instruction Fuzzy Hash: 643193755093805FE711CB65CC95B96BFF8EF06214F08849AE984CF292D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 029AA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8308BC47,00000000,00000000,00000000,00000000), ref: 029AA40C

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 12275f409252d1546dc1d9696645842ccfc638bf27235126afe3b64eb771cd1c
Instruction ID: 6b27242b23ba567ffb3f685b3efce0971e6f73a9c1d80336cb4831bed059faea
Opcode Fuzzy Hash: 12275f409252d1546dc1d9696645842ccfc638bf27235126afe3b64eb771cd1c
Instruction Fuzzy Hash: 47317375505744AFD722CF15CC94F92BBFCEF06614F08849AE985CB292D324E949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 029AA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,8308BC47,00000000,00000000,00000000,00000000), ref: 029AA4F8

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92856508add691d054002ded6a6000d4bbe8b804a487c86aefc71baa23e67c99
Instruction ID: 96a2a95b61991756e0741a9900ead8519a9c918296260bb4af96e6b751a2ee7b
Opcode Fuzzy Hash: 92856508add691d054002ded6a6000d4bbe8b804a487c86aefc71baa23e67c99
Instruction Fuzzy Hash: CD2190B25053806FD7228F15DC54FA7BFBCEF46214F08849AE989CB652D364E948C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 029AA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 029AA6B9

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5d29961fd12b7175ce6a8b961f2194bdbd473b5b8ff120b6375215bd97b10fbc
Instruction ID: e6dfdb74f57134d98e2a6c9be2ee35100202b8a7f7269f14ddf81590a544c4eb
Opcode Fuzzy Hash: 5d29961fd12b7175ce6a8b961f2194bdbd473b5b8ff120b6375215bd97b10fbc
Instruction Fuzzy Hash: C02180716002409FE720CB69CD55BA6FBF8EF05214F04886AE948CB741D775E909CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 029AA710 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 029AA780

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 06442b10b68f4ea3568461c94fe379be12c0fdad3bd25c4eeecd2f5357b85979
Instruction ID: 55332aa9def288e7310d05837530420f59e9b2423b062b87b00ae2ff7975702c
Opcode Fuzzy Hash: 06442b10b68f4ea3568461c94fe379be12c0fdad3bd25c4eeecd2f5357b85979
Instruction Fuzzy Hash: C72105B55093809FDB028F25DC95792BFB8EF03220F0880EBDD858F653D2359909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 029AA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8308BC47,00000000,00000000,00000000,00000000), ref: 029AA40C

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e4cad28173c2737acb6a6f94ea2bcaf1461895e97bddc6b4aa14a06bee5c2c90
Instruction ID: 612658d1d8886f93a41bbc8c5552ea369872c5922436d78159f8decc1682dd23
Opcode Fuzzy Hash: e4cad28173c2737acb6a6f94ea2bcaf1461895e97bddc6b4aa14a06bee5c2c90
Instruction Fuzzy Hash: 7C218C75600704AFE720CE15CC84FA6F7FCEF04614F08846AED49CB651D764E949CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 029AA486 Relevance: 1.6, APIs: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,8308BC47,00000000,00000000,00000000,00000000), ref: 029AA4F8

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: fa17d68eec0deb31f377aef37f247cb8e85d164a84278cda042475b3b09a6f8d
Instruction ID: eb471c33a34ca4c6f0dcb11c0f43d94af0ab1ba385ecc4cbc007ae03f7e65106
Opcode Fuzzy Hash: fa17d68eec0deb31f377aef37f247cb8e85d164a84278cda042475b3b09a6f8d
Instruction Fuzzy Hash: 7811BEB2600700AFEB218E15CC45FAABBFCEF04614F08845AED49CA641D360E548CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 029AA74E Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 029AA780

Memory Dump Source

Source File: 0000000A.00000002.2103265703.00000000029AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 029AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29aa000_svchost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0be449652f117ede6ca0e7fbc01c720825fa79228bc9fd2543363d9a7cd49c2f
Instruction ID: f1d9e7c6b53836367b742a73d6fee38a75c303567fb50c85466bb03f8ee50975
Opcode Fuzzy Hash: 0be449652f117ede6ca0e7fbc01c720825fa79228bc9fd2543363d9a7cd49c2f
Instruction Fuzzy Hash: 0601DF71A003008FEB508F15D995766FBF8DF05220F08C4ABDD498B742D379E508CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 053E0080 Relevance: .1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2103657243.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2517774af5128f202394316d88b1a66ce5f7351dc168ff5ef60b35d0ff42f543
Instruction ID: 23eedca4637282c2fa7d9dd6ad7cf9f498004baddee224fc3b45ded283d00df2
Opcode Fuzzy Hash: 2517774af5128f202394316d88b1a66ce5f7351dc168ff5ef60b35d0ff42f543
Instruction Fuzzy Hash: 1C517530A45646DBD704DF36ED9459A7FB2EFA13087008569D0048B76ADF389CADCF82

Uniqueness

Uniqueness Score: -1.00%

Function 02A01048 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2103373808.0000000002A01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2a01000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918f9e9d108ee19651d495dd6d56dadca34e1e2a45da3be3ebcb1906a9f20be8
Instruction ID: 5603edece2633e78cafc5e9ee1a1b5ed600c144318427b76ec8e0d8712495a74
Opcode Fuzzy Hash: 918f9e9d108ee19651d495dd6d56dadca34e1e2a45da3be3ebcb1906a9f20be8
Instruction Fuzzy Hash: 4901A2B55097806FC7028F25AC40862FFB8EF86630709C4DFEC49CB612D229A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 053E0018 Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2103657243.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_53e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7da85daf56797c9f4addaef49d694256d3dfa63820d5e491a80691c30503267
Instruction ID: fb5c3163c4c525b1065f7418badab4347c7c2807d86b5e56bf907dd217980b05
Opcode Fuzzy Hash: d7da85daf56797c9f4addaef49d694256d3dfa63820d5e491a80691c30503267
Instruction Fuzzy Hash: A2F066AA80E3C18FD71343649CBA2A13FB09E2320671E04CBC4C1CA6A3E048585AE333

Uniqueness

Uniqueness Score: -1.00%

Function 02A0106E Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2103373808.0000000002A01000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2a01000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a36bdee5b9621501ace3c2ba49090c3aab2b722f73dcb93023c66c0ea68344d
Instruction ID: 7ea4bad27f8cffd0eaf9c79611d2b108465723b37357b29385e26f6b03b94332
Opcode Fuzzy Hash: 1a36bdee5b9621501ace3c2ba49090c3aab2b722f73dcb93023c66c0ea68344d
Instruction Fuzzy Hash: 36E092B66006048B9750CF0AEC41462F7D8EB84630B08C07FDC0D8B701D635F508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 029A23F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2103254499.00000000029A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a2000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d40a1679e9143dbdceb1e954c450eec2b0a7e60aa1cdc21811135b1362fec0
Instruction ID: d069a24878edf5dcb394f2d92cfa770b0e00ff12d42c47703408f88cbf95b67a
Opcode Fuzzy Hash: 29d40a1679e9143dbdceb1e954c450eec2b0a7e60aa1cdc21811135b1362fec0
Instruction Fuzzy Hash: 93D05E796097C14FD3169B1CC1A4B9537D8AB61718F4A44F9AC048B763C768D581D640

Uniqueness

Uniqueness Score: -1.00%

Function 029A23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2103254499.00000000029A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a2000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d2cd48707715bf2c008a783464b494b2ee8243f77be2ede2e32f525faf594d
Instruction ID: 5c5183c2175b922f67246c8dd8ea913493c4b17cdb68e07e65477558f1e4d18d
Opcode Fuzzy Hash: e0d2cd48707715bf2c008a783464b494b2ee8243f77be2ede2e32f525faf594d
Instruction Fuzzy Hash: 30D05E346003814BCB15DB0CC6E4F5937D8AB51B18F1A44E8AC108B762CBA8D8C1CA40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\svchost.exe

C:\ProgramData\svchost.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\134cc1d0196af692d1e58df35504bc9f.exe:Zone.Identifier

C:\autorun.inf

C:\svchost.exe

Windows Analysis Report
1.exe

Function 04F80310 Relevance: 3.9, Strings: 3, Instructions: 191
COMMON

Function 04F803BD Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Function 04F80958 Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Function 00CCA612 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 00CCA361 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Function 00CCA462 Relevance: 1.6, APIs: 1, Instructions: 77
registryCOMMON

Function 00CCA646 Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Function 00CCAA07 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Function 00CCA392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON