Windows Analysis Report
R3ov8eFFFP.exe

Machine Learning detection for dropped file

Source: Yara match	File source: R3ov8eFFFP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R3ov8eFFFP.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ESET Service.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Joe Sandbox ML: detected
Source: C:\svchost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: R3ov8eFFFP.exe

Joe Sandbox ML: detected

Source: R3ov8eFFFP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Creates autorun.inf (USB autostart)

Source: R3ov8eFFFP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

File created: C:\autorun.inf

Snort IDS alert for network traffic

Source: R3ov8eFFFP.exe, 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: R3ov8eFFFP.exe, 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: R3ov8eFFFP.exe, 00000000.00000002.1758561861.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: R3ov8eFFFP.exe, 00000000.00000002.1758561861.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: ESET Service.exe, 00000001.00000002.4131549355.0000000003384000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: ESET Service.exe, 00000001.00000002.4131549355.0000000003384000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: R3ov8eFFFP.exe	Binary or memory string: autorun.inf
Source: R3ov8eFFFP.exe	Binary or memory string: [autorun]
Source: autorun.inf.1.dr	Binary or memory string: [autorun]
Source: fa8cebf4f3fd11252bf351a94ee5fa4a.exe.1.dr	Binary or memory string: autorun.inf
Source: fa8cebf4f3fd11252bf351a94ee5fa4a.exe.1.dr	Binary or memory string: [autorun]
Source: ESET Service.exe.0.dr	Binary or memory string: autorun.inf
Source: ESET Service.exe.0.dr	Binary or memory string: [autorun]
Source: svchost.exe.1.dr	Binary or memory string: autorun.inf
Source: svchost.exe.1.dr	Binary or memory string: [autorun]

Networking

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49729 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49729 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49729 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49729 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49729 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49736 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49736 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49736 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49736 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49736 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49738 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49738 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49739 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49739 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49739 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49739 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49740 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49740 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49741 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49741 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49741 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49741 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49742 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49742 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49742 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49743 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49743 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49743 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 3.127.138.57:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49744 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49745 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49745 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49746 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49746 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49746 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49746 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49746 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49747 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49747 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49748 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49748 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49748 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49749 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49749 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49749 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 18.192.93.86:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49750 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49750 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49750 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49750 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49751 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49751 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49751 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49751 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49752 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49752 -> 18.197.239.5:18227
Source: Traffic	Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49752 -> 18.197.239.5:18227

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2.tcp.eu.ngrok.io

Source: global traffic	TCP traffic: 192.168.2.4:49729 -> 3.127.138.57:18227
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 18.192.93.86:18227
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 18.197.239.5:18227

Source: Joe Sandbox View	IP Address: 3.127.138.57 3.127.138.57
Source: Joe Sandbox View	IP Address: 18.192.93.86 18.192.93.86
Source: Joe Sandbox View	IP Address: 18.197.239.5 18.197.239.5

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 2.tcp.eu.ngrok.io

Source: R3ov8eFFFP.exe, fa8cebf4f3fd11252bf351a94ee5fa4a.exe.1.dr, ESET Service.exe.0.dr, svchost.exe.1.dr

String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: R3ov8eFFFP.exe, kl.cs	.Net Code: VKCodeToUnicode
Source: ESET Service.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: fa8cebf4f3fd11252bf351a94ee5fa4a.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: svchost.exe.1.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Protects its processes via BreakOnTermination flag

Source: Yara match	File source: R3ov8eFFFP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R3ov8eFFFP.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ESET Service.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Operating System Destruction

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Process information set: 01 00 00 00

Malicious sample detected (through community Yara rule)

System Summary

Source: R3ov8eFFFP.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: R3ov8eFFFP.exe, type: SAMPLE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: R3ov8eFFFP.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\svchost.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\svchost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Code function: 1_2_058E010E NtSetInformationProcess,	1_2_058E010E
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Code function: 1_2_058E0346 NtQuerySystemInformation,	1_2_058E0346
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Code function: 1_2_058E00EC NtSetInformationProcess,	1_2_058E00EC
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Code function: 1_2_058E030B NtQuerySystemInformation,	1_2_058E030B

Source: R3ov8eFFFP.exe, 00000000.00000002.1757865607.00000000008FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs R3ov8eFFFP.exe

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: R3ov8eFFFP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: R3ov8eFFFP.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: R3ov8eFFFP.exe, type: SAMPLE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: R3ov8eFFFP.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\svchost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\svchost.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@12/10@4/3

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Code function: 1_2_015EBDA2 AdjustTokenPrivileges,		1_2_015EBDA2
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Code function: 1_2_015EBD6B AdjustTokenPrivileges,		1_2_015EBD6B

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

File created: C:\Users\user\AppData\Roaming\ESET Service.exe

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Mutant created: \Sessions\1\BaseNamedObjects\fa8cebf4f3fd11252bf351a94ee5fa4a

Source: R3ov8eFFFP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: R3ov8eFFFP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "taskmgr.exe")

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: R3ov8eFFFP.exe

ReversingLabs: Detection: 97%

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

File read: C:\Users\user\Desktop\R3ov8eFFFP.exe

Source: unknown	Process created: C:\Users\user\Desktop\R3ov8eFFFP.exe C:\Users\user\Desktop\R3ov8eFFFP.exe
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe"
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: R3ov8eFFFP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

.NET source code contains potential unpacker

Source: R3ov8eFFFP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: R3ov8eFFFP.exe, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: ESET Service.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: fa8cebf4f3fd11252bf351a94ee5fa4a.exe.1.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: svchost.exe.1.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

File created: C:\svchost.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	File created: C:\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	File created: C:\Users\user\AppData\Roaming\ESET Service.exe	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a	Jump to behavior

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Memory allocated: E50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 5380000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 4870000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: EB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Memory allocated: 11D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Window / User API: threadDelayed 3181	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Window / User API: threadDelayed 1490	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Window / User API: threadDelayed 3409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Window / User API: foregroundWindowGot 535	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Window / User API: foregroundWindowGot 1159	Jump to behavior

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe TID: 6708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 2316	Thread sleep time: -1490000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 2316	Thread sleep time: -3409000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 5220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 6792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: R3ov8eFFFP.exe, 00000000.00000002.1757865607.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_PJ
Source: ESET Service.exe, 00000001.00000002.4130868397.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1823872110.0000000000D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: R3ov8eFFFP.exe, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: R3ov8eFFFP.exe, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: R3ov8eFFFP.exe, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Uses taskkill to terminate AV processes

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exe

Source: C:\Users\user\Desktop\R3ov8eFFFP.exe

Process created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe"

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exe

Source: ESET Service.exe, 00000001.00000002.4131549355.0000000003592000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000001.00000002.4131549355.0000000003384000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000001.00000002.4131549355.00000000035B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ESET Service.exe, 00000001.00000002.4131549355.0000000003592000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000001.00000002.4131549355.0000000003384000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000001.00000002.4131549355.00000000035B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program managerL.
Source: ESET Service.exe, 00000001.00000002.4131549355.0000000003384000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: ESET Service.exe, 00000001.00000002.4131549355.00000000035B3000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000001.00000002.4131549355.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000001.00000002.4131549355.0000000003682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ESET Service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies the windows firewall

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Roaming\ESET Service.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE

Stealing of Sensitive Information

Source: Yara match	File source: R3ov8eFFFP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R3ov8eFFFP.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ESET Service.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: R3ov8eFFFP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.R3ov8eFFFP.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R3ov8eFFFP.exe PID: 6664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ESET Service.exe PID: 3452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, type: DROPPED
Source: Yara match	File source: C:\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	21 Windows Management Instrumentation	221 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	1 Input Capture	111 Security Software Discovery	Remote Services	1 Input Capture	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	311 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	221 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
R3ov8eFFFP.exe	97%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
R3ov8eFFFP.exe	100%	Avira	TR/ATRAPS.Gen
R3ov8eFFFP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\ESET Service.exe	100%	Avira	TR/ATRAPS.Gen
C:\svchost.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ESET Service.exe	100%	Joe Sandbox ML
C:\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ESET Service.exe	97%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe	97%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay
C:\svchost.exe	97%	ReversingLabs	ByteCode-MSIL.Backdoor.Ratenjay

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	3.127.138.57	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0	R3ov8eFFFP.exe, fa8cebf4f3fd11252bf351a94ee5fa4a.exe.1.dr, ESET Service.exe.0.dr, svchost.exe.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.127.138.57	2.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
18.192.93.86	unknown	United States	16509	AMAZON-02US	true
18.197.239.5	unknown	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1383432
Start date and time:	2024-01-30 17:06:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	R3ov8eFFFP.exe renamed because original name is a hash value
Original Sample Name:	0A7D2BBBE2960FF24B9273036FC472DA.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winEXE@12/10@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 207 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 23.40.205.58, 23.40.205.34, 23.40.205.75, 23.40.205.57, 23.40.205.59, 23.40.205.83, 23.40.205.9, 23.40.205.81, 20.3.187.198, 13.95.31.18, 20.166.126.56
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: R3ov8eFFFP.exe

Simulations

Behavior and APIs

Time	Type	Description
16:07:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
16:07:25	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
16:07:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fa8cebf4f3fd11252bf351a94ee5fa4a "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
16:07:42	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe
17:07:47	API Interceptor	118915x Sleep call for process: ESET Service.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.127.138.57	b8UsrDOVGV.exe	Get hash	malicious	Njrat	Browse
	2G8CgDVl3K.exe	Get hash	malicious	Njrat	Browse
	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse
	QUuUm3J8x3.exe	Get hash	malicious	Njrat	Browse
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse
18.192.93.86	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.192.93.86	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.197.239.5	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	Ve0c8i5So2.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	LMQV4V1d3E.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	b8UsrDOVGV.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	2G8CgDVl3K.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	BHp5Is5Xe7.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	tiodtk2cfy.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	QUuUm3J8x3.exe	Get hash	malicious	Njrat	Browse	3.127.138.57
	81Rz15POL6.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	649DB66A36E095B16832637A31D3CCC75040C5A6C23F6.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	pQBmVoyRnw.exe	Get hash	malicious	Njrat	Browse	18.156.13.209

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://optout.oracle-zoominfo-notice.com/acton/ct/45126/s-00a2-2401/Bct/g-00e9/l-00e4:4e5156/ct2_0/1/lu?sid=TV2%3A77KSjIGlP&c=E,1,oEV6T_FZXfcwsLJPdLRKsm5UxG5l1_dNlD0IFImFpjO05VML-T178ZPmvZqk5ormfZ0PuJEmGpb9jj51uxHqZ7XbQK5xoBbVXlPrmcKyudGsVoZJQcz-cg,,&typo=1	Get hash	malicious	Unknown	Browse	52.85.151.27
	Disputes_2Pages-Fax (2).html	Get hash	malicious	Unknown	Browse	108.156.152.114
	Fax-847-0944.xlsx	Get hash	malicious	HTMLPhisher	Browse	99.86.229.114
	https://protect-us.mimecast.com/s/WmtgC2krQxIovQN4I2X4tR?domain=click-notification.capitalone.com	Get hash	malicious	Unknown	Browse	3.124.226.107
	Garfieldpolice_Receipt_823481010238.html	Get hash	malicious	HTMLPhisher	Browse	99.84.108.67
	http://hytek.active.com	Get hash	malicious	Unknown	Browse	54.230.253.79
	https://ad.doubleclick.net/clk;265186560;90846275;t;pc=%5BTPAS_ID%5D?//b3groover.com/html/xtml/3jv6hhtqoycydubawq4q0vkugtsynvny48qryppx7dhenfjqlwkk6qcqxsvbp7bq346ltip18tnamlwgiy2ulkd1zvmqe5oublogi1mrebjnrbytt634ropk41uqpmdplsjbqshs1l4nlmna1m81gbqowtvmkuiezp8cyyauc2aqgm6luxzldz6xgq3rficooly7z7i7/YW5kcmV3LmRvc3NAc3VtbWl0YmhjLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	99.84.108.67
	https://t.ly/vUxxB	Get hash	malicious	Unknown	Browse	54.220.167.226
	https://www.bing.com/ck/a?!&&p=bd0766a2437219cbJmltdHM9MTcwNjQ4NjQwMCZpZ3VpZD0xMmI2NWRiOC0xMDdlLTYxYmYtMGUxMS00ZTQ0MTExNDYwNzYmaW5zaWQ9NTE5Mg&ptn=3&ver=2&hsh=3&fclid=12b65db8-107e-61bf-0e11-4e4411146076&psq=rayautox.co.za&u=a1aHR0cDovL3d3dy5yYXlhdXRveC5jby56YS8&ntb=1	Get hash	malicious	Unknown	Browse	3.163.101.111
	xshFIpJznd.elf	Get hash	malicious	Unknown	Browse	34.254.182.186
AMAZON-02US	https://optout.oracle-zoominfo-notice.com/acton/ct/45126/s-00a2-2401/Bct/g-00e9/l-00e4:4e5156/ct2_0/1/lu?sid=TV2%3A77KSjIGlP&c=E,1,oEV6T_FZXfcwsLJPdLRKsm5UxG5l1_dNlD0IFImFpjO05VML-T178ZPmvZqk5ormfZ0PuJEmGpb9jj51uxHqZ7XbQK5xoBbVXlPrmcKyudGsVoZJQcz-cg,,&typo=1	Get hash	malicious	Unknown	Browse	52.85.151.27
	Disputes_2Pages-Fax (2).html	Get hash	malicious	Unknown	Browse	108.156.152.114
	Fax-847-0944.xlsx	Get hash	malicious	HTMLPhisher	Browse	99.86.229.114
	https://protect-us.mimecast.com/s/WmtgC2krQxIovQN4I2X4tR?domain=click-notification.capitalone.com	Get hash	malicious	Unknown	Browse	3.124.226.107
	Garfieldpolice_Receipt_823481010238.html	Get hash	malicious	HTMLPhisher	Browse	99.84.108.67
	http://hytek.active.com	Get hash	malicious	Unknown	Browse	54.230.253.79
	https://ad.doubleclick.net/clk;265186560;90846275;t;pc=%5BTPAS_ID%5D?//b3groover.com/html/xtml/3jv6hhtqoycydubawq4q0vkugtsynvny48qryppx7dhenfjqlwkk6qcqxsvbp7bq346ltip18tnamlwgiy2ulkd1zvmqe5oublogi1mrebjnrbytt634ropk41uqpmdplsjbqshs1l4nlmna1m81gbqowtvmkuiezp8cyyauc2aqgm6luxzldz6xgq3rficooly7z7i7/YW5kcmV3LmRvc3NAc3VtbWl0YmhjLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	99.84.108.67
	https://t.ly/vUxxB	Get hash	malicious	Unknown	Browse	54.220.167.226
	https://www.bing.com/ck/a?!&&p=bd0766a2437219cbJmltdHM9MTcwNjQ4NjQwMCZpZ3VpZD0xMmI2NWRiOC0xMDdlLTYxYmYtMGUxMS00ZTQ0MTExNDYwNzYmaW5zaWQ9NTE5Mg&ptn=3&ver=2&hsh=3&fclid=12b65db8-107e-61bf-0e11-4e4411146076&psq=rayautox.co.za&u=a1aHR0cDovL3d3dy5yYXlhdXRveC5jby56YS8&ntb=1	Get hash	malicious	Unknown	Browse	3.163.101.111
	xshFIpJznd.elf	Get hash	malicious	Unknown	Browse	34.254.182.186
AMAZON-02US	https://optout.oracle-zoominfo-notice.com/acton/ct/45126/s-00a2-2401/Bct/g-00e9/l-00e4:4e5156/ct2_0/1/lu?sid=TV2%3A77KSjIGlP&c=E,1,oEV6T_FZXfcwsLJPdLRKsm5UxG5l1_dNlD0IFImFpjO05VML-T178ZPmvZqk5ormfZ0PuJEmGpb9jj51uxHqZ7XbQK5xoBbVXlPrmcKyudGsVoZJQcz-cg,,&typo=1	Get hash	malicious	Unknown	Browse	52.85.151.27
	Disputes_2Pages-Fax (2).html	Get hash	malicious	Unknown	Browse	108.156.152.114
	Fax-847-0944.xlsx	Get hash	malicious	HTMLPhisher	Browse	99.86.229.114
	https://protect-us.mimecast.com/s/WmtgC2krQxIovQN4I2X4tR?domain=click-notification.capitalone.com	Get hash	malicious	Unknown	Browse	3.124.226.107
	Garfieldpolice_Receipt_823481010238.html	Get hash	malicious	HTMLPhisher	Browse	99.84.108.67
	http://hytek.active.com	Get hash	malicious	Unknown	Browse	54.230.253.79
	https://ad.doubleclick.net/clk;265186560;90846275;t;pc=%5BTPAS_ID%5D?//b3groover.com/html/xtml/3jv6hhtqoycydubawq4q0vkugtsynvny48qryppx7dhenfjqlwkk6qcqxsvbp7bq346ltip18tnamlwgiy2ulkd1zvmqe5oublogi1mrebjnrbytt634ropk41uqpmdplsjbqshs1l4nlmna1m81gbqowtvmkuiezp8cyyauc2aqgm6luxzldz6xgq3rficooly7z7i7/YW5kcmV3LmRvc3NAc3VtbWl0YmhjLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	99.84.108.67
	https://t.ly/vUxxB	Get hash	malicious	Unknown	Browse	54.220.167.226
	https://www.bing.com/ck/a?!&&p=bd0766a2437219cbJmltdHM9MTcwNjQ4NjQwMCZpZ3VpZD0xMmI2NWRiOC0xMDdlLTYxYmYtMGUxMS00ZTQ0MTExNDYwNzYmaW5zaWQ9NTE5Mg&ptn=3&ver=2&hsh=3&fclid=12b65db8-107e-61bf-0e11-4e4411146076&psq=rayautox.co.za&u=a1aHR0cDovL3d3dy5yYXlhdXRveC5jby56YS8&ntb=1	Get hash	malicious	Unknown	Browse	3.163.101.111
	xshFIpJznd.elf	Get hash	malicious	Unknown	Browse	34.254.182.186

Process:	C:\Users\user\AppData\Roaming\ESET Service.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\R3ov8eFFFP.exe.log

Process:	C:\Users\user\Desktop\R3ov8eFFFP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\ESET Service.exe

Process:	C:\Users\user\Desktop\R3ov8eFFFP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.5730226036804105
Encrypted:	false
SSDEEP:	384:jstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzX48:YtiHpR9Ef7JsQCFiArM+rMRa8NuqUt
MD5:	0A7D2BBBE2960FF24B9273036FC472DA
SHA1:	3B0FBB910651427A6A103327A0630E96ACB8649C
SHA-256:	D812B05B85A25AB0EC4258F8A4E9ADDA4A84D2DF5B07FED42B84DE539DFCABC8
SHA-512:	8266B81B3D24B0650465D35A5CF83EA4339F7CF417A78E4A5BD8EB5D111BD90EEB1C672DBE7A2C6F772849AECF13C6FE62488958CD27986727CD723D154DD62F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\ESET Service.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\R3ov8eFFFP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe

Process:	C:\Users\user\AppData\Roaming\ESET Service.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.5730226036804105
Encrypted:	false
SSDEEP:	384:jstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzX48:YtiHpR9Ef7JsQCFiArM+rMRa8NuqUt
MD5:	0A7D2BBBE2960FF24B9273036FC472DA
SHA1:	3B0FBB910651427A6A103327A0630E96ACB8649C
SHA-256:	D812B05B85A25AB0EC4258F8A4E9ADDA4A84D2DF5B07FED42B84DE539DFCABC8
SHA-512:	8266B81B3D24B0650465D35A5CF83EA4339F7CF417A78E4A5BD8EB5D111BD90EEB1C672DBE7A2C6F772849AECF13C6FE62488958CD27986727CD723D154DD62F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa8cebf4f3fd11252bf351a94ee5fa4a.exe:Zone.Identifier

Process:	C:\Users\user\AppData\Roaming\ESET Service.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\autorun.inf

Process:	C:\Users\user\AppData\Roaming\ESET Service.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.320240000427043
Encrypted:	false
SSDEEP:	3:It1KV2LKMACovK0x:e1KzxvD
MD5:	5B0B50BADE67C5EC92D42E971287A5D9
SHA1:	90D5C99143E7A56AD6E5EE401015F8ECC093D95A
SHA-256:	04DDE2489D2D2E6846D42250D813AB90B5CA847D527F8F2C022E6C327DC6DB53
SHA-512:	C064DC3C4185A38D1CAEBD069ACB9FDBB85DFB650D6A241036E501A09BC89FD06E267BE9D400D20E6C14B4068473D1C6557962E8D82FDFD191DB7EABB6E66821
Malicious:	true
Preview:	[autorun]..open=C:\svchost.exe..shellexecute=C:\..

C:\svchost.exe

Process:	C:\Users\user\AppData\Roaming\ESET Service.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.5730226036804105
Encrypted:	false
SSDEEP:	384:jstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzX48:YtiHpR9Ef7JsQCFiArM+rMRa8NuqUt
MD5:	0A7D2BBBE2960FF24B9273036FC472DA
SHA1:	3B0FBB910651427A6A103327A0630E96ACB8649C
SHA-256:	D812B05B85A25AB0EC4258F8A4E9ADDA4A84D2DF5B07FED42B84DE539DFCABC8
SHA-512:	8266B81B3D24B0650465D35A5CF83EA4339F7CF417A78E4A5BD8EB5D111BD90EEB1C672DBE7A2C6F772849AECF13C6FE62488958CD27986727CD723D154DD62F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\svchost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\svchost.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\svchost.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......*..(.......s.........s.........s.........s...........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\svchost.exe:Zone.Identifier

Process:	C:\Users\user\AppData\Roaming\ESET Service.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.5730226036804105
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	R3ov8eFFFP.exe
File size:	37'888 bytes
MD5:	0a7d2bbbe2960ff24b9273036fc472da
SHA1:	3b0fbb910651427a6a103327a0630e96acb8649c
SHA256:	d812b05b85a25ab0ec4258f8a4e9adda4a84d2df5b07fed42b84de539dfcabc8
SHA512:	8266b81b3d24b0650465d35a5cf83ea4339f7cf417a78e4a5bd8eb5d111bd90eeb1c672dbe7a2c6f772849aecf13c6fe62488958cd27986727cd723d154dd62f
SSDEEP:	384:jstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzX48:YtiHpR9Ef7JsQCFiArM+rMRa8NuqUt
TLSH:	6D032A4D7FE18168C5FD467B05B2D41207BBE04B6E23D90E8EF564AA37636C18B50AF2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40abbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65B3A597 [Fri Jan 26 12:29:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab70	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bc4	0x8c00	52435bf8111a2b756b0ca350659b2ea6	False	0.46353236607142856	data	5.604430733714899	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x240	0x400	f7ce2f7b506ce16c06c85a549ef2cd98	False	0.3134765625	data	4.968771659524424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	163d66697186c0743c0da6f82247a39a	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators			0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.43.127.138.5749743182272825564 01/30/24-17:09:29.306132	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49743	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749743182272825563 01/30/24-17:09:19.453005	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49743	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749740182272814860 01/30/24-17:08:55.123453	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49740	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749742182272033132 01/30/24-17:09:13.438158	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49742	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749741182272033132 01/30/24-17:08:57.484517	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49741	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749743182272033132 01/30/24-17:09:19.251884	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49743	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749729182272033132 01/30/24-17:07:18.434785	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49729	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749741182272814860 01/30/24-17:09:03.945846	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49741	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649749182272814856 01/30/24-17:10:28.018781	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49749	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649748182272814856 01/30/24-17:10:15.110171	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49748	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649747182272814856 01/30/24-17:10:06.444735	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49747	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749738182272814856 01/30/24-17:08:14.961731	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49738	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749739182272814856 01/30/24-17:08:27.854209	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49739	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749743182272814860 01/30/24-17:09:29.306132	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49743	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749729182272825564 01/30/24-17:07:23.073796	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49729	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749729182272825563 01/30/24-17:07:18.635283	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49729	18227	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549752182272033132 01/30/24-17:11:04.732771	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49752	18227	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749740182272814856 01/30/24-17:08:45.087741	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49740	18227	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549751182272033132 01/30/24-17:10:49.338671	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49751	18227	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549750182272033132 01/30/24-17:10:40.149950	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49750	18227	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749741182272814856 01/30/24-17:08:57.690610	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49741	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749742182272814856 01/30/24-17:09:13.644212	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49742	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649745182272814856 01/30/24-17:09:36.950026	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49745	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649744182272814856 01/30/24-17:09:32.006134	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49744	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649746182272814856 01/30/24-17:09:54.099801	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49746	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749736182272814856 01/30/24-17:07:52.958354	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49736	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749740182272033132 01/30/24-17:08:44.884475	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49740	18227	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549752182272814856 01/30/24-17:11:04.938711	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49752	18227	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749743182272814856 01/30/24-17:09:19.453005	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49743	18227	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549751182272814856 01/30/24-17:10:49.541184	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49751	18227	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549750182272814856 01/30/24-17:10:40.356210	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49750	18227	192.168.2.4	18.197.239.5
192.168.2.418.192.93.8649746182272825563 01/30/24-17:09:54.099801	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49746	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649747182272033132 01/30/24-17:10:06.243628	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49747	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649748182272033132 01/30/24-17:10:14.903223	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49748	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749736182272033132 01/30/24-17:07:52.757868	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49736	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649746182272825564 01/30/24-17:10:02.570250	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49746	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649748182272825564 01/30/24-17:10:16.789499	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49748	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749736182272825563 01/30/24-17:07:52.958354	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49736	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749736182272825564 01/30/24-17:07:55.336198	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49736	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649745182272033132 01/30/24-17:09:36.751580	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49745	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649746182272033132 01/30/24-17:09:53.899404	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49746	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649749182272033132 01/30/24-17:10:27.818089	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49749	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649745182272825563 01/30/24-17:09:36.950026	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49745	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649749182272825563 01/30/24-17:10:28.018781	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49749	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649745182272825564 01/30/24-17:09:37.351336	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49745	18227	192.168.2.4	18.192.93.86
192.168.2.418.192.93.8649749182272825564 01/30/24-17:10:33.714882	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49749	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749738182272033132 01/30/24-17:08:14.761110	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49738	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649744182272825563 01/30/24-17:09:32.006134	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49744	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749739182272033132 01/30/24-17:08:27.653310	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49739	18227	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549750182272814860 01/30/24-17:10:41.866704	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49750	18227	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549751182272814860 01/30/24-17:10:58.138650	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49751	18227	192.168.2.4	18.197.239.5
192.168.2.418.192.93.8649746182272814860 01/30/24-17:10:03.972545	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49746	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749736182272814860 01/30/24-17:07:55.336198	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49736	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649745182272814860 01/30/24-17:09:37.351336	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49745	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749738182272825564 01/30/24-17:08:24.775359	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49738	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749739182272825564 01/30/24-17:08:42.669529	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49739	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649744182272033132 01/30/24-17:09:31.797713	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49744	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749729182272814856 01/30/24-17:07:18.635283	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49729	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649748182272825563 01/30/24-17:10:15.110171	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49748	18227	192.168.2.4	18.192.93.86
192.168.2.418.197.239.549751182272825564 01/30/24-17:10:58.138650	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49751	18227	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549751182272825563 01/30/24-17:10:49.541184	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49751	18227	192.168.2.4	18.197.239.5
192.168.2.43.127.138.5749729182272814860 01/30/24-17:07:23.073796	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49729	18227	192.168.2.4	3.127.138.57
192.168.2.418.197.239.549750182272825564 01/30/24-17:10:41.866704	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49750	18227	192.168.2.4	18.197.239.5
192.168.2.418.197.239.549750182272825563 01/30/24-17:10:40.356210	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49750	18227	192.168.2.4	18.197.239.5
192.168.2.418.192.93.8649748182272814860 01/30/24-17:10:16.789499	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49748	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749739182272814860 01/30/24-17:08:42.669529	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49739	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749738182272814860 01/30/24-17:08:25.085626	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49738	18227	192.168.2.4	3.127.138.57
192.168.2.418.192.93.8649747182272814860 01/30/24-17:10:07.250125	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49747	18227	192.168.2.4	18.192.93.86
192.168.2.418.197.239.549752182272825563 01/30/24-17:11:04.938711	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49752	18227	192.168.2.4	18.197.239.5
192.168.2.418.192.93.8649749182272814860 01/30/24-17:10:33.714882	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49749	18227	192.168.2.4	18.192.93.86
192.168.2.43.127.138.5749741182272825564 01/30/24-17:09:03.945846	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49741	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749741182272825563 01/30/24-17:08:57.690610	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49741	18227	192.168.2.4	3.127.138.57
192.168.2.43.127.138.5749742182272825563 01/30/24-17:09:13.644212	TCP	2825563	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)	49742	18227	192.168.2.4	3.127.138.57

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2024 17:07:18.118943930 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:18.319217920 CET	18227	49729	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:18.319299936 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:18.434784889 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:18.635211945 CET	18227	49729	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:18.635282993 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:18.835705996 CET	18227	49729	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:23.073796034 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:23.274883032 CET	18227	49729	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:38.365947008 CET	18227	49729	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:38.366117954 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:50.537448883 CET	18227	49729	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:50.537543058 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:52.540827036 CET	49729	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:52.543697119 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:52.741385937 CET	18227	49729	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:52.744189024 CET	18227	49736	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:52.744402885 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:52.757868052 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:52.958242893 CET	18227	49736	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:52.958353996 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:53.158967018 CET	18227	49736	3.127.138.57	192.168.2.4
Jan 30, 2024 17:07:55.336198092 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:07:55.536633968 CET	18227	49736	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:10.617690086 CET	18227	49736	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:10.617791891 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:12.537127018 CET	18227	49736	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:12.537514925 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:14.539102077 CET	49736	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:14.542673111 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:14.739630938 CET	18227	49736	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:14.742988110 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:14.743413925 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:14.761110067 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:14.961522102 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:14.961730957 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:15.161993980 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:19.243091106 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:19.443494081 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:19.477243900 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:19.677969933 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:20.367721081 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:20.568304062 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:20.568823099 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:20.769416094 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:20.963871002 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:21.164271116 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:21.164709091 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:21.365112066 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:21.365535021 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:21.566121101 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:21.566350937 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:21.766688108 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:21.767122984 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:21.967407942 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:21.967708111 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:22.168124914 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:22.168242931 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:22.368449926 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:22.368839025 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:22.569097996 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:22.569669962 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:22.769943953 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:22.770020008 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:22.970360041 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:22.970438004 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:23.170423031 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:23.170541048 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:23.370558977 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:23.370650053 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:23.570831060 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:23.570909023 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:23.771100044 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:23.771297932 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:23.971381903 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:23.971502066 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:24.171686888 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:24.172255993 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:24.372564077 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:24.373183012 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:24.573587894 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:24.574031115 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:24.774331093 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:24.775358915 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:24.969839096 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:24.970046997 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:24.975495100 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:25.085625887 CET	49738	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:25.170259953 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:25.286309004 CET	18227	49738	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:27.444000006 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:27.644758940 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:27.645101070 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:27.653310061 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:27.853856087 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:27.854208946 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:28.055088043 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:28.055363894 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:28.256254911 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:28.256463051 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:28.457463980 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:28.457796097 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:28.658519030 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:28.658653975 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:28.859358072 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:28.859611034 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:29.060507059 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:29.060678005 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:29.262550116 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:29.262775898 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:29.463494062 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:29.463891029 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:29.665312052 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:29.665427923 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:29.866010904 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:29.866297960 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:30.067047119 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:30.067300081 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:30.268131971 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:30.268381119 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:30.469274998 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:30.469749928 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:30.670468092 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:30.670931101 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:30.872039080 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:30.872251034 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:31.073065042 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:31.073275089 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:31.274019957 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:31.274292946 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:31.475121021 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:31.475404024 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:31.676198006 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:31.676640034 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:31.877504110 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:31.877969027 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:32.079165936 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:32.079366922 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:32.279973984 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:32.280376911 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:32.481098890 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:32.481379032 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:32.682281017 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:32.682615042 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:32.883357048 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:32.883622885 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:33.084570885 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:33.084770918 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:33.285358906 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:33.285561085 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:33.486411095 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:33.486510992 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:33.687203884 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:33.687428951 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:33.887970924 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:33.888179064 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:34.088859081 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:34.089088917 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:34.289917946 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:34.290045023 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:34.490910053 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:34.491003990 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:34.692013979 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:34.692235947 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:34.893011093 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:34.893368959 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:35.094140053 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:35.094481945 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:35.296802044 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:35.296936035 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:35.497612000 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:35.497757912 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:35.698784113 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:35.699018002 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:35.899802923 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:35.900118113 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:36.100967884 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:36.101224899 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:36.301995039 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:36.302151918 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:36.503012896 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:36.503396034 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:36.704019070 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:36.704241037 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:36.904968977 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:36.905261993 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:37.105923891 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:37.106182098 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:37.308156013 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:37.308360100 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:37.508959055 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:37.509193897 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:37.709985971 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:37.710367918 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:37.911137104 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:37.911438942 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:38.112112999 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:38.112317085 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:38.313105106 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:38.313308001 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:38.514097929 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:38.514327049 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:38.714885950 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:38.715102911 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:38.915584087 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:38.915797949 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:39.117832899 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:39.118065119 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:39.319658995 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:39.319864035 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:39.520365000 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:39.520576954 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:39.721039057 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:39.721290112 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:39.921797991 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:39.922024965 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:40.122467041 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:40.122648001 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:40.322992086 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:40.323195934 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:40.524761915 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:40.525044918 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:40.725555897 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:40.725764990 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:40.926168919 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:40.926422119 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:41.126811028 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:41.127103090 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:41.327806950 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:41.328018904 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:41.528436899 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:41.528764963 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:41.729111910 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:41.729312897 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:41.929708004 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:41.929812908 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:42.130331993 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:42.130444050 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:42.330782890 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:42.330997944 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:42.531397104 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:42.531575918 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:42.669207096 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:42.669528961 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:42.734142065 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:42.872009993 CET	18227	49739	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:44.679548979 CET	49739	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:44.681642056 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:44.881992102 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:44.882122040 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:44.884474993 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:45.087626934 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:45.087740898 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:45.287996054 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:45.288111925 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:45.488462925 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:45.488564014 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:45.688940048 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:45.689011097 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:45.889549971 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:45.889744997 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:46.091192007 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:46.091260910 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:46.291507959 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:46.291585922 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:46.491950989 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:46.492031097 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:46.692506075 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:46.692730904 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:46.892987013 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:46.893059015 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:47.093296051 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:47.093439102 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:47.293668032 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:47.293873072 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:47.494277000 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:47.494352102 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:47.694648027 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:47.694982052 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:47.895296097 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:47.895435095 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:48.095747948 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:48.095837116 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:48.296068907 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:48.296242952 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:48.496522903 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:48.496678114 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:48.696949959 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:48.697027922 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:48.897325039 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:48.897505999 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:49.097862005 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:49.097980022 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:49.298382044 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:49.298487902 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:49.498874903 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:49.499016047 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:49.699412107 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:49.699527979 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:49.899882078 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:49.899991989 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:50.100332975 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:50.100490093 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:50.301017046 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:50.301127911 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:50.501569986 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:50.501708984 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:50.702137947 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:50.702244043 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:50.902580976 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:50.902679920 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:51.102962971 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:51.103044033 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:51.304964066 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:51.305064917 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:51.505270004 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:51.505410910 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:51.707837105 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:51.707947016 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:51.908606052 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:51.908724070 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:52.109834909 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:52.109925032 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:52.310616970 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:52.310734987 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:52.510993958 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:52.511230946 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:52.711625099 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:52.711745024 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:52.914916992 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:52.915050983 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:53.115425110 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:53.115540028 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:53.316591978 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:53.316668034 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:53.518784046 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:53.518970966 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:53.719316959 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:53.719502926 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:53.919795990 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:53.919861078 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:54.120193958 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:54.120398045 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:54.320712090 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:54.320959091 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:54.521378994 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:54.521447897 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:54.721806049 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:54.722073078 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:54.922344923 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:54.922549009 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:55.123080015 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:55.123452902 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:55.264420033 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:55.264622927 CET	49740	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:55.323803902 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:55.465073109 CET	18227	49740	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:57.275511026 CET	49741	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:57.481945038 CET	18227	49741	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:57.482146978 CET	49741	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:57.484517097 CET	49741	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:57.690444946 CET	18227	49741	3.127.138.57	192.168.2.4
Jan 30, 2024 17:08:57.690609932 CET	49741	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:08:57.896656990 CET	18227	49741	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:03.945846081 CET	49741	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:04.151952028 CET	18227	49741	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:11.212969065 CET	18227	49741	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:11.213119030 CET	49741	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:13.226383924 CET	49741	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:13.228857994 CET	49742	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:13.432775974 CET	18227	49741	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:13.434715986 CET	18227	49742	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:13.434828043 CET	49742	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:13.438158035 CET	49742	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:13.643991947 CET	18227	49742	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:13.644212008 CET	49742	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:13.850090027 CET	18227	49742	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:16.845592022 CET	18227	49742	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:16.845807076 CET	49742	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:19.044230938 CET	49742	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:19.047009945 CET	49743	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:19.247746944 CET	18227	49743	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:19.247994900 CET	49743	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:19.250448942 CET	18227	49742	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:19.251883984 CET	49743	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:19.452675104 CET	18227	49743	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:19.453005075 CET	49743	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:19.653126001 CET	18227	49743	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:21.117424011 CET	49743	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:21.317758083 CET	18227	49743	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:29.306132078 CET	49743	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:29.459018946 CET	18227	49743	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:29.459239006 CET	49743	18227	192.168.2.4	3.127.138.57
Jan 30, 2024 17:09:29.506648064 CET	18227	49743	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:29.659554958 CET	18227	49743	3.127.138.57	192.168.2.4
Jan 30, 2024 17:09:31.585031033 CET	49744	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:31.793375015 CET	18227	49744	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:31.793809891 CET	49744	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:31.797713041 CET	49744	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:32.005939960 CET	18227	49744	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:32.006134033 CET	49744	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:32.214406967 CET	18227	49744	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:33.836033106 CET	18227	49744	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:33.836234093 CET	49744	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:36.547142982 CET	49744	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:36.548971891 CET	49745	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:36.749315977 CET	18227	49745	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:36.749444008 CET	49745	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:36.751580000 CET	49745	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:36.756670952 CET	18227	49744	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:36.949923038 CET	18227	49745	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:36.950026035 CET	49745	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:37.148559093 CET	18227	49745	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:37.351336002 CET	49745	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:37.549942017 CET	18227	49745	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:51.692215919 CET	18227	49745	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:51.692401886 CET	49745	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:53.694715977 CET	49745	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:53.696887970 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:53.893224955 CET	18227	49745	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:53.896965981 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:53.897161007 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:53.899404049 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:54.099476099 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:54.099801064 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:54.299922943 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:55.136574984 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:55.336728096 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:58.523324013 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:58.723436117 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:09:59.210922003 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:09:59.411084890 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:01.444931984 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:01.647478104 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:01.647605896 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:01.847635031 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:02.570250034 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:02.770273924 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:02.770452976 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:02.970413923 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:02.970638037 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:03.171406031 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:03.171694994 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:03.371750116 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:03.371994019 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:03.572016001 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:03.572249889 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:03.772270918 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:03.772475004 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:03.972434998 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:03.972544909 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:04.025881052 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:04.025981903 CET	49746	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:04.172636986 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:04.225955963 CET	18227	49746	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:06.040126085 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:06.241348028 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:06.241463900 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:06.243628025 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:06.444627047 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:06.444735050 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:06.646179914 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:06.646333933 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:06.847616911 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:06.847719908 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:07.048841000 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:07.048954010 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:07.250024080 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:07.250124931 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:07.454602003 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:12.683803082 CET	18227	49747	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:12.866539955 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:14.695255041 CET	49747	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:14.698376894 CET	49748	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:14.900815010 CET	18227	49748	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:14.901004076 CET	49748	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:14.903223038 CET	49748	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:15.109992981 CET	18227	49748	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:15.110171080 CET	49748	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:15.312527895 CET	18227	49748	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:16.789499044 CET	49748	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:16.992105007 CET	18227	49748	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:25.581134081 CET	18227	49748	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:25.581331968 CET	49748	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:27.607204914 CET	49748	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:27.609694958 CET	49749	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:27.809581995 CET	18227	49748	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:27.810312033 CET	18227	49749	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:27.810412884 CET	49749	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:27.818089008 CET	49749	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:28.018533945 CET	18227	49749	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:28.018780947 CET	49749	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:28.220441103 CET	18227	49749	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:33.714881897 CET	49749	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:33.915666103 CET	18227	49749	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:37.814516068 CET	18227	49749	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:37.814601898 CET	49749	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:39.819660902 CET	49749	18227	192.168.2.4	18.192.93.86
Jan 30, 2024 17:10:39.941637993 CET	49750	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:40.020395041 CET	18227	49749	18.192.93.86	192.168.2.4
Jan 30, 2024 17:10:40.147718906 CET	18227	49750	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:40.147929907 CET	49750	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:40.149950027 CET	49750	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:40.356014967 CET	18227	49750	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:40.356209993 CET	49750	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:40.562290907 CET	18227	49750	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:41.866703987 CET	49750	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:42.074218035 CET	18227	49750	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:47.123547077 CET	18227	49750	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:47.123745918 CET	49750	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:49.132155895 CET	49750	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:49.133641958 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:49.336246967 CET	18227	49751	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:49.336455107 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:49.338367939 CET	18227	49750	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:49.338670969 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:49.541121006 CET	18227	49751	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:49.541183949 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:49.743701935 CET	18227	49751	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:49.991692066 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:50.194586039 CET	18227	49751	18.197.239.5	192.168.2.4
Jan 30, 2024 17:10:58.138649940 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:10:58.341072083 CET	18227	49751	18.197.239.5	192.168.2.4
Jan 30, 2024 17:11:02.507663012 CET	18227	49751	18.197.239.5	192.168.2.4
Jan 30, 2024 17:11:02.507812023 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:11:04.522767067 CET	49751	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:11:04.524475098 CET	49752	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:11:04.725284100 CET	18227	49751	18.197.239.5	192.168.2.4
Jan 30, 2024 17:11:04.728880882 CET	18227	49752	18.197.239.5	192.168.2.4
Jan 30, 2024 17:11:04.730376005 CET	49752	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:11:04.732770920 CET	49752	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:11:04.937268019 CET	18227	49752	18.197.239.5	192.168.2.4
Jan 30, 2024 17:11:04.938710928 CET	49752	18227	192.168.2.4	18.197.239.5
Jan 30, 2024 17:11:05.143266916 CET	18227	49752	18.197.239.5	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2024 17:07:17.994070053 CET	55139	53	192.168.2.4	1.1.1.1
Jan 30, 2024 17:07:18.113529921 CET	53	55139	1.1.1.1	192.168.2.4
Jan 30, 2024 17:08:27.322241068 CET	55307	53	192.168.2.4	1.1.1.1
Jan 30, 2024 17:08:27.442148924 CET	53	55307	1.1.1.1	192.168.2.4
Jan 30, 2024 17:09:31.462668896 CET	51061	53	192.168.2.4	1.1.1.1
Jan 30, 2024 17:09:31.583060980 CET	53	51061	1.1.1.1	192.168.2.4
Jan 30, 2024 17:10:39.820972919 CET	64057	53	192.168.2.4	1.1.1.1
Jan 30, 2024 17:10:39.940418959 CET	53	64057	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 30, 2024 17:07:17.994070053 CET	192.168.2.4	1.1.1.1	0x82f2	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 30, 2024 17:08:27.322241068 CET	192.168.2.4	1.1.1.1	0x283	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 30, 2024 17:09:31.462668896 CET	192.168.2.4	1.1.1.1	0x8cd3	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jan 30, 2024 17:10:39.820972919 CET	192.168.2.4	1.1.1.1	0x8034	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 30, 2024 17:07:18.113529921 CET	1.1.1.1	192.168.2.4	0x82f2	No error (0)	2.tcp.eu.ngrok.io	3.127.138.57	A (IP address)	IN (0x0001)	false
Jan 30, 2024 17:08:27.442148924 CET	1.1.1.1	192.168.2.4	0x283	No error (0)	2.tcp.eu.ngrok.io	3.127.138.57	A (IP address)	IN (0x0001)	false
Jan 30, 2024 17:09:31.583060980 CET	1.1.1.1	192.168.2.4	0x8cd3	No error (0)	2.tcp.eu.ngrok.io	18.192.93.86	A (IP address)	IN (0x0001)	false
Jan 30, 2024 17:10:39.940418959 CET	1.1.1.1	192.168.2.4	0x8034	No error (0)	2.tcp.eu.ngrok.io	18.197.239.5	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	17:07:00
Start date:	30/01/2024
Path:	C:\Users\user\Desktop\R3ov8eFFFP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\R3ov8eFFFP.exe
Imagebase:	0x460000
File size:	37'888 bytes
MD5 hash:	0A7D2BBBE2960FF24B9273036FC472DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.1688476254.0000000000462000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	17:07:07
Start date:	30/01/2024
Path:	C:\Users\user\AppData\Roaming\ESET Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ESET Service.exe"
Imagebase:	0xdd0000
File size:	37'888 bytes
MD5 hash:	0A7D2BBBE2960FF24B9273036FC472DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: unknown Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Brian Wallace @botnet_hunter Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	17:07:13
Start date:	30/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	4
Start time:	17:07:13
Start date:	30/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	17:07:13
Start date:	30/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM taskmgr.exe
Imagebase:	0xd30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	17:07:13
Start date:	30/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	17:07:25
Start date:	30/01/2024
Path:	C:\Users\user\AppData\Roaming\ESET Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ESET Service.exe" ..
Imagebase:	0x250000
File size:	37'888 bytes
MD5 hash:	0A7D2BBBE2960FF24B9273036FC472DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	17:07:33
Start date:	30/01/2024
Path:	C:\Users\user\AppData\Roaming\ESET Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ESET Service.exe" ..
Imagebase:	0x4c0000
File size:	37'888 bytes
MD5 hash:	0A7D2BBBE2960FF24B9273036FC472DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	17:07:42
Start date:	30/01/2024
Path:	C:\Users\user\AppData\Roaming\ESET Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ESET Service.exe" ..
Imagebase:	0x690000
File size:	37'888 bytes
MD5 hash:	0A7D2BBBE2960FF24B9273036FC472DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true