Edit tour

Windows Analysis Report
raw_cbot.exe

Overview

General Information

Sample name:raw_cbot.exe
Analysis ID:1643734
MD5:9ef7edfa24458412dd4667023fd8466b
SHA1:696a87ae39645223f5149f455c32d77135f67cbd
SHA256:1fc13ff144f070e7cec92dd959ec889df2928b8220e420ec3ba2a78bcbeb7e13
Infos:

Detection

Score:84
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the startup folder
Joe Sandbox ML detected suspicious sample
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • raw_cbot.exe (PID: 8012 cmdline: "C:\Users\user\Desktop\raw_cbot.exe" MD5: 9EF7EDFA24458412DD4667023FD8466B)
  • svchost.exe (PID: 8064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7412 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7656 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7692 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7756 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 3452 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 4420 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" MD5: 9EF7EDFA24458412DD4667023FD8466B)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , ProcessId: 4420, ProcessName: svchost.exe
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\raw_cbot.exe, ProcessId: 8012, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8064, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exeReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)ReversingLabs: Detection: 36%
Source: raw_cbot.exeVirustotal: Detection: 56%Perma Link
Source: raw_cbot.exeReversingLabs: Detection: 36%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: raw_cbot.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

barindex
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeNetwork Connect: 58.9.110.23 18063Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeNetwork Connect: 176.65.142.252 18063Jump to behavior
Source: global trafficTCP traffic: 58.9.110.23 ports 18063,0,1,3,6,8
Source: global trafficTCP traffic: 176.65.142.252 ports 18063,0,1,3,6,8
Source: global trafficTCP traffic: 192.168.2.4:49712 -> 58.9.110.23:18063
Source: global trafficTCP traffic: 192.168.2.4:49711 -> 176.65.142.252:18063
Source: Joe Sandbox ViewASN Name: TRUE-AS-APTrueInternetCoLtdTH TRUE-AS-APTrueInternetCoLtdTH
Source: Joe Sandbox ViewASN Name: WEBTRAFFICDE WEBTRAFFICDE
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: svchost.exe, 00000001.00000002.2810042445.0000022585A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000001.00000003.1203013735.0000022585948000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.1.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.1.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.1.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000001.00000003.1203013735.0000022585948000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000001.00000003.1203013735.0000022585948000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000001.00000003.1203013735.000002258597D000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.1.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: svchost.exe, 00000002.00000002.1365209356.000001D399413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.1365328955.000001D399459000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365285993.000001D399444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364289151.000001D39946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365423549.000001D399470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364672704.000001D39945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000002.00000003.1364411040.000001D399467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365400391.000001D399468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.1364196777.000001D399474000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365445241.000001D399476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364672704.000001D39945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000002.00000003.1364411040.000001D399467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365400391.000001D399468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000002.00000002.1365285993.000001D399444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv
Source: svchost.exe, 00000002.00000003.1364769713.000001D399433000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000002.1365285993.000001D399444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1364411040.000001D399467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365400391.000001D399468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000001.00000003.1203013735.00000225859F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.1.dr, qmgr.db.1.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.1.dr, qmgr.db.1.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.1.dr, qmgr.db.1.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000001.00000003.1203013735.00000225859F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000001.00000003.1203013735.00000225859F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1364711284.000001D399448000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364711284.000001D399448000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364561708.000001D39945D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000002.00000002.1365328955.000001D399459000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: raw_cbot.exe.0.drStatic PE information: Number of sections : 11 > 10
Source: raw_cbot.exeStatic PE information: Number of sections : 11 > 10
Source: raw_cbot.exe, 00000000.00000002.3046240307.00007FF6BD095000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesvchost.exen' vs raw_cbot.exe
Source: raw_cbot.exe, 00000000.00000002.3045510440.00000274CE8EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exen' vs raw_cbot.exe
Source: raw_cbot.exeBinary or memory string: OriginalFilenamesvchost.exen' vs raw_cbot.exe
Source: raw_cbot.exe.0.drBinary or memory string: OriginalFilenamesvchost.exen' vs raw_cbot.exe
Source: classification engineClassification label: mal84.troj.adwa.evad.winEXE@10/9@0/3
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: raw_cbot.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\raw_cbot.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: raw_cbot.exeVirustotal: Detection: 56%
Source: raw_cbot.exeReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\raw_cbot.exeFile read: C:\Users\user\Desktop\raw_cbot.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\raw_cbot.exe "C:\Users\user\Desktop\raw_cbot.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
Source: raw_cbot.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: raw_cbot.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: raw_cbot.exeStatic PE information: section name: .xdata
Source: raw_cbot.exe.0.drStatic PE information: section name: .xdata
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exeJump to dropped file
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exeJump to dropped file
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exeJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exeJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exe TID: 8032Thread sleep count: 39 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 7864Thread sleep count: 33 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: svchost.exe, 00000005.00000002.3046196747.000001CBB1A6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3045922946.000001CBB1A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000005.00000002.3046196747.000001CBB1A86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000001.00000002.2809478538.0000022580427000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpe
Source: svchost.exe, 00000005.00000002.3046196747.000001CBB1A6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:#p
Source: raw_cbot.exe, 00000000.00000002.3045510440.00000274CE8EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: svchost.exe, 00000001.00000002.2810133478.0000022585A63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.3045671316.000001CBB1A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.3046055693.000001CBB1A53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: svchost.exe, 00000005.00000002.3046196747.000001CBB1A6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3046196747.000001CBB1A6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000`
Source: svchost.exe, 00000005.00000002.3046418221.000001CBB1B02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3045922946.000001CBB1A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3046196747.000001CBB1A6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.3045669105.000001EEE7213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeNetwork Connect: 58.9.110.23 18063Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeNetwork Connect: 176.65.142.252 18063Jump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\raw_cbot.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: svchost.exe, 00000006.00000002.3046675481.000002A1ACD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.3046675481.000002A1ACD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
11
Process Injection
11
Masquerading
OS Credential Dumping141
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job12
Registry Run Keys / Startup Folder
1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory3
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
Registry Run Keys / Startup Folder
3
Virtualization/Sandbox Evasion
Security Account Manager23
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1643734 Sample: raw_cbot.exe Startdate: 20/03/2025 Architecture: WINDOWS Score: 84 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Connects to many ports of the same IP (likely port scanning) 2->38 40 2 other signatures 2->40 7 raw_cbot.exe 2 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 28 176.65.142.252, 18063, 49782, 49784 WEBTRAFFICDE Germany 7->28 30 58.9.110.23, 18063 TRUE-AS-APTrueInternetCoLtdTH Thailand 7->30 22 C:\Users\user\AppData\...\svchost.exe (copy), PE32+ 7->22 dropped 24 C:\Users\user\AppData\...\raw_cbot.exe, PE32+ 7->24 dropped 26 C:\Users\...\raw_cbot.exe:Zone.Identifier, ASCII 7->26 dropped 42 Drops PE files to the startup folder 7->42 44 Changes security center settings (notifications, updates, antivirus, firewall) 12->44 18 MpCmdRun.exe 1 12->18         started        46 System process connects to network (likely due to code injection or exploit) 14->46 32 127.0.0.1 unknown unknown 16->32 file5 signatures6 process7 process8 20 conhost.exe 18->20         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
raw_cbot.exe56%VirustotalBrowse
raw_cbot.exe37%ReversingLabsWin64.Trojan.Barys
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raw_cbot.exe37%ReversingLabsWin64.Trojan.Barys
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)37%ReversingLabsWin64.Trojan.Barys
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
    high
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000002.00000003.1364561708.000001D39945D000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000002.00000003.1364411040.000001D399467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365400391.000001D399468000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000002.00000003.1364196777.000001D399474000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365445241.000001D399476000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000002.00000003.1364411040.000001D399467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365400391.000001D399468000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000003.1364711284.000001D399448000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000002.00000002.1365285993.000001D399444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://crl.ver)svchost.exe, 00000001.00000002.2810042445.0000022585A00000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://g.live.com/odclientsettings/ProdV2.C:edb.log.1.dr, qmgr.db.1.drfalse
                              high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000002.00000003.1364711284.000001D399448000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000002.00000002.1365328955.000001D399459000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365285993.000001D399444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364289151.000001D39946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365423549.000001D399470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364672704.000001D39945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://g.live.com/odclientsettings/Prod.C:edb.log.1.dr, qmgr.db.1.drfalse
                                            high
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://g.live.com/odclientsettings/ProdV2edb.log.1.dr, qmgr.db.1.drfalse
                                                  high
                                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pvsvchost.exe, 00000002.00000002.1365285993.000001D399444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364729751.000001D399443000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://dynamic.tsvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000001.00000003.1203013735.00000225859F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.drfalse
                                                        high
                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000002.00000002.1365328955.000001D399459000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.bingmapsportal.comsvchost.exe, 00000002.00000002.1365209356.000001D399413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1364455104.000001D399462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364672704.000001D39945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364593805.000001D399458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000001.00000003.1203013735.00000225859F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.1.dr, qmgr.db.1.drfalse
                                                                        high
                                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1364411040.000001D399467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365241662.000001D39942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365400391.000001D399468000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000002.00000003.1364769713.000001D399433000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1365366445.000001D399463000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs
                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            58.9.110.23
                                                                            unknownThailand
                                                                            17552TRUE-AS-APTrueInternetCoLtdTHtrue
                                                                            176.65.142.252
                                                                            unknownGermany
                                                                            8649WEBTRAFFICDEtrue
                                                                            IP
                                                                            127.0.0.1
                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1643734
                                                                            Start date and time:2025-03-20 03:14:06 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 5m 40s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Run name:Run with higher sleep bypass
                                                                            Number of analysed new started processes analysed:12
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:raw_cbot.exe
                                                                            Detection:MAL
                                                                            Classification:mal84.troj.adwa.evad.winEXE@10/9@0/3
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                                                            • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, SgrmBroker.exe
                                                                            • Excluded IPs from analysis (whitelisted): 23.204.23.20, 4.245.163.56
                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            TimeTypeDescription
                                                                            02:15:08AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            58.9.110.2322.exeGet hashmaliciousUnknownBrowse
                                                                              cbot.exeGet hashmaliciousUnknownBrowse
                                                                                No context
                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                TRUE-AS-APTrueInternetCoLtdTHsshdGet hashmaliciousUnknownBrowse
                                                                                • 171.97.167.202
                                                                                m68k.elfGet hashmaliciousUnknownBrowse
                                                                                • 58.11.24.86
                                                                                jklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                • 58.11.219.208
                                                                                hoho.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                • 124.122.130.94
                                                                                hgfs.arm.elfGet hashmaliciousUnknownBrowse
                                                                                • 171.96.58.89
                                                                                arm7.elfGet hashmaliciousMiraiBrowse
                                                                                • 124.120.215.111
                                                                                hgfs.x86.elfGet hashmaliciousUnknownBrowse
                                                                                • 58.8.237.33
                                                                                KKveTTgaAAsecNNaaaa.spc.elfGet hashmaliciousUnknownBrowse
                                                                                • 124.122.178.165
                                                                                KKveTTgaAAsecNNaaaa.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                • 27.145.158.183
                                                                                WEBTRAFFICDEungziped_file.exeGet hashmaliciousRemcosBrowse
                                                                                • 176.65.141.49
                                                                                z310517827.batGet hashmaliciousBatch Injector, RemcosBrowse
                                                                                • 176.65.142.140
                                                                                TD648372.batGet hashmaliciousBatch Injector, RemcosBrowse
                                                                                • 176.65.142.140
                                                                                PO#250059712.batGet hashmaliciousBatch Injector, RemcosBrowse
                                                                                • 176.65.142.140
                                                                                Document25.xlsmGet hashmaliciousScreenConnect Tool, AsyncRAT, StormKitty, VenomRATBrowse
                                                                                • 176.65.142.74
                                                                                _TSCA.pdf.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                • 176.65.141.49
                                                                                https://mandrillapp.com/track/click/30319935/app.axure.cloud?p=eyJzIjoiV2EycUdtVWFUN1RfTGxWUkQzU3I1RDRsX2NFIiwidiI6MSwicCI6IntcInVcIjozMDMxOTkzNSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5heHVyZS5jbG91ZFxcXC83RlpOR1BcXFwvXCIsXCJpZFwiOlwiNjRmNmJkOTAyMjY0NGQyZDliZjUzMzQyOTc0ZTQwNThcIixcInVybF9pZHNcIjpbXCIzNjBjNGIwODczODAyZGVjZTE1NTNhYmM1MGQwZjViMGMyNTdjMzM2XCJdfSJ9Get hashmaliciousUnknownBrowse
                                                                                • 176.65.142.110
                                                                                Commercial invoice and dhl awb tracking details.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 176.65.142.81
                                                                                ReK7Ewx.exeGet hashmaliciousAsyncRATBrowse
                                                                                • 176.65.142.60
                                                                                No context
                                                                                No context
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):8192
                                                                                Entropy (8bit):0.363788168458258
                                                                                Encrypted:false
                                                                                SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):1.3107706451904466
                                                                                Encrypted:false
                                                                                SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr0:KooCEYhgYEL0In
                                                                                MD5:650D49CB756AD4161BB033A98932950D
                                                                                SHA1:A0289DCE2DC391927DD244EC57BE71C227259E06
                                                                                SHA-256:697DED1EE1C34B074BDDB946C6BEEFA807B8A5689084E0077B20CE64A7B33226
                                                                                SHA-512:D155572F3B32409B2093C8A7C03403D9B54D423ABCB1CCA1EC49BAF5B4D9C0F099BA97F7B46EADE78230BF8D22209714D4B2B9AA7CAA5E78CB24B1C3AC45C8DA
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1fe9d10c, page size 16384, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.42216995823620856
                                                                                Encrypted:false
                                                                                SSDEEP:1536:HSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Hazag03A2UrzJDO
                                                                                MD5:FE91E7B265A57EC556C5FB89CF0B16E8
                                                                                SHA1:9BF08CD9325296B6D36E68737340953B7B846C3F
                                                                                SHA-256:82D3B467591C74350C4675A179E9AA60560898C37CB0C47B0D75FF0DDB0982C8
                                                                                SHA-512:2561F7FD390B94F2241656097335F18DD9B8E66BF89D1ABF11E4CC954D0A96228E7774238BC69FB73F9B58E8F7C0893D472CDB629C5596C2B1A119D0C7F9C92A
                                                                                Malicious:false
                                                                                Preview:....... .......Y.......X\...;...{......................n.%..........}Q......}..h.#..........}Q.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................z.......}Q.................}d`......}Q..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):16384
                                                                                Entropy (8bit):0.07828854525991015
                                                                                Encrypted:false
                                                                                SSDEEP:3:t/tOetYeUcxy1t/Onxejt/cK+xvQ/AllOE/tlnl+/rTc:1trzFm1OxeBcqApMP
                                                                                MD5:980AAB2065F5059A7AE2C3F2F7A18FD8
                                                                                SHA1:CF5754B79CD82CD9368D75B6BA2079FC17C0EB94
                                                                                SHA-256:39BE583F4A680C6015C653CB7E7BEF806573DEB0EF8315352B2616D2C0C51BFF
                                                                                SHA-512:A6927AD3A8727148C4B85E29016508CE1555AEBA620130A0BF9299964D54DBF6D3BB618D2072F5291C6F2749ABB96ACD1BCE8F8FB18D2349704475E116205D09
                                                                                Malicious:false
                                                                                Preview:..L......................................;...{.......}.......}Q..............}Q......}Q..V.......}Q.................}d`......}Q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                Process:C:\Users\user\Desktop\raw_cbot.exe
                                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):61952
                                                                                Entropy (8bit):6.069918401167628
                                                                                Encrypted:false
                                                                                SSDEEP:768:EX/VDdl1ooSHqckQSZecQu0hsehhRxU5UluWaXVpuvYD1bvOn40XZ00yanOuSx4:SpVooz2LZrTculaVEvWpOnr00yjg
                                                                                MD5:9EF7EDFA24458412DD4667023FD8466B
                                                                                SHA1:696A87AE39645223F5149F455C32D77135F67CBD
                                                                                SHA-256:1FC13FF144F070E7CEC92DD959EC889DF2928B8220E420EC3BA2A78BCBEB7E13
                                                                                SHA-512:45F75AD39E7D5A006D265257259A9036B26C9B9C4BACFEE0D37A86A84DFDFD5D52EBD15C9A0E46AC2E70D3DEA46CCEAC1B6EA7A5F42B879F0660DCDE13DBD4FE
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 37%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............&.......................@.............................p......e.....`... .............................................. .......P.......................`..................................(....................#..P............................text...@...........................`..`.data...............................@....rdata..P...........................@..@.pdata..............................@..@.xdata..............................@..@.bss....`................................idata....... ......................@....CRT....h....0......................@....tls.........@......................@....rsrc........P......................@....reloc.......`......................@..B........................................................................................................................................................................
                                                                                Process:C:\Users\user\Desktop\raw_cbot.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview:[ZoneTransfer]....ZoneId=0
                                                                                Process:C:\Users\user\Desktop\raw_cbot.exe
                                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):61952
                                                                                Entropy (8bit):6.069918401167628
                                                                                Encrypted:false
                                                                                SSDEEP:768:EX/VDdl1ooSHqckQSZecQu0hsehhRxU5UluWaXVpuvYD1bvOn40XZ00yanOuSx4:SpVooz2LZrTculaVEvWpOnr00yjg
                                                                                MD5:9EF7EDFA24458412DD4667023FD8466B
                                                                                SHA1:696A87AE39645223F5149F455C32D77135F67CBD
                                                                                SHA-256:1FC13FF144F070E7CEC92DD959EC889DF2928B8220E420EC3BA2A78BCBEB7E13
                                                                                SHA-512:45F75AD39E7D5A006D265257259A9036B26C9B9C4BACFEE0D37A86A84DFDFD5D52EBD15C9A0E46AC2E70D3DEA46CCEAC1B6EA7A5F42B879F0660DCDE13DBD4FE
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 37%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............&.......................@.............................p......e.....`... .............................................. .......P.......................`..................................(....................#..P............................text...@...........................`..`.data...............................@....rdata..P...........................@..@.pdata..............................@..@.xdata..............................@..@.bss....`................................idata....... ......................@....CRT....h....0......................@....tls.........@......................@....rsrc........P......................@....reloc.......`......................@..B........................................................................................................................................................................
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):7388
                                                                                Entropy (8bit):3.24091864456928
                                                                                Encrypted:false
                                                                                SSDEEP:96:cEi+AAsoJjykzEJ+AAsoJjykHE46+AAsoJjykIE:cN+SoJbO+SoJvR6+SoJAE
                                                                                MD5:FCDD3B5FC4C17945ED67DF720F13C9E5
                                                                                SHA1:42EED295FE6400B582D0E27CE4F635064D3ADEB1
                                                                                SHA-256:3B2A1E855B43AA754DA7B865CFA82A86D2B2F932081DDEB85F219DE8C4BE8EE9
                                                                                SHA-512:3FA5A3EC5023DC8F44302D51C72161C41AD6CE42F67301C5D9F28E20677777C4B77CD7EE48C15E7035CEC787A2502873FA3A9398F02A2DEB0836029BA47ABFE9
                                                                                Malicious:false
                                                                                Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
                                                                                File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                Entropy (8bit):6.069918401167628
                                                                                TrID:
                                                                                • Win64 Executable (generic) (12005/4) 74.95%
                                                                                • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                • DOS Executable Generic (2002/1) 12.50%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                File name:raw_cbot.exe
                                                                                File size:61'952 bytes
                                                                                MD5:9ef7edfa24458412dd4667023fd8466b
                                                                                SHA1:696a87ae39645223f5149f455c32d77135f67cbd
                                                                                SHA256:1fc13ff144f070e7cec92dd959ec889df2928b8220e420ec3ba2a78bcbeb7e13
                                                                                SHA512:45f75ad39e7d5a006d265257259a9036b26c9b9c4bacfee0d37a86a84dfdfd5d52ebd15c9a0e46ac2e70d3dea46cceac1b6ea7a5f42b879f0660dcde13dbd4fe
                                                                                SSDEEP:768:EX/VDdl1ooSHqckQSZecQu0hsehhRxU5UluWaXVpuvYD1bvOn40XZ00yanOuSx4:SpVooz2LZrTculaVEvWpOnr00yjg
                                                                                TLSH:5C531B1BB34354EDC62AD5B486BFAB33B672B8920630AF3F52A4E7701E10E605F5A514
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............&.......................@.............................p......e.....`... ............................
                                                                                Icon Hash:90cececece8e8eb0
                                                                                Entrypoint:0x1400014d0
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x140000000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0x67D6EDDC [Sun Mar 16 15:27:24 2025 UTC]
                                                                                TLS Callbacks:0x40004e80, 0x1, 0x40004e50, 0x1
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:c6f8590df3a6e8e386690a3f3b0cf556
                                                                                Instruction
                                                                                dec eax
                                                                                sub esp, 28h
                                                                                dec eax
                                                                                mov eax, dword ptr [0000CEE5h]
                                                                                mov dword ptr [eax], 00000001h
                                                                                call 00007F6EA0E472BFh
                                                                                nop
                                                                                nop
                                                                                dec eax
                                                                                add esp, 28h
                                                                                ret
                                                                                nop dword ptr [eax]
                                                                                dec eax
                                                                                sub esp, 28h
                                                                                dec eax
                                                                                mov eax, dword ptr [0000CEC5h]
                                                                                mov dword ptr [eax], 00000000h
                                                                                call 00007F6EA0E4729Fh
                                                                                nop
                                                                                nop
                                                                                dec eax
                                                                                add esp, 28h
                                                                                ret
                                                                                nop dword ptr [eax]
                                                                                dec eax
                                                                                sub esp, 28h
                                                                                call 00007F6EA0E50BD4h
                                                                                dec eax
                                                                                test eax, eax
                                                                                sete al
                                                                                movzx eax, al
                                                                                neg eax
                                                                                dec eax
                                                                                add esp, 28h
                                                                                ret
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                dec eax
                                                                                lea ecx, dword ptr [00000009h]
                                                                                jmp 00007F6EA0E475E9h
                                                                                nop dword ptr [eax+00h]
                                                                                ret
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                dec eax
                                                                                sub esp, 38h
                                                                                dec esp
                                                                                mov eax, dword ptr [0000CDA5h]
                                                                                dec ebp
                                                                                mov edx, dword ptr [eax]
                                                                                dec esp
                                                                                mov dword ptr [esp+28h], edx
                                                                                inc ebp
                                                                                xor edx, edx
                                                                                mov word ptr [esp+26h], 0000h
                                                                                cmp edx, 01h
                                                                                jle 00007F6EA0E47622h
                                                                                inc esp
                                                                                movzx ebx, word ptr [ecx]
                                                                                dec eax
                                                                                add ecx, 02h
                                                                                sub edx, 02h
                                                                                inc ebp
                                                                                add edx, ebx
                                                                                jmp 00007F6EA0E475FDh
                                                                                jne 00007F6EA0E47620h
                                                                                mov dl, byte ptr [ecx]
                                                                                mov byte ptr [esp+26h], dl
                                                                                movzx ecx, word ptr [esp+26h]
                                                                                inc ecx
                                                                                add edx, ecx
                                                                                inc ebp
                                                                                mov ecx, edx
                                                                                inc ecx
                                                                                movzx eax, word ptr [eax]
                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x120000xe80.idata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000x3b0.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf0000x714.pdata
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000x98.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xdbe00x28.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x123c80x350.idata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000xa5400xa600a35fc22fa5f702d6a262b7e9ced74b05False0.5507341867469879data6.242709308827174IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .data0xc0000x1000x2003e73fd0a1b3c609970935400c78dc530False0.1640625data1.0307701636188438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rdata0xd0000x1a500x1c00bcf1448c63dd02634b8bb5f2cb923d1fFalse0.30189732142857145data5.219944685913332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .pdata0xf0000x7140x8009b24038d224e6c7298cc440dee930df5False0.4560546875data4.269365295670671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .xdata0x100000x7f80x8001f19f9168970429cb4ec7dfbb1b7b796False0.32666015625data4.592232795586179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .bss0x110000xc600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .idata0x120000xe800x10006c56a56025577ba1e1d886c17ac833dbFalse0.314453125zlib compressed data4.1105520524632IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .CRT0x130000x680x2000cdd8602562e773b404ac0502234f75bFalse0.072265625data0.3406417195159507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .tls0x140000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0x150000x3b00x400c141e82b043ee638ba818a72ae55876fFalse0.4208984375data3.0863403008417483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .reloc0x160000x980x200c70f29840f30c2814897bb63d508c384False0.27734375data1.7375704363188285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_VERSION0x150580x358dataEnglishUnited States0.4614485981308411
                                                                                DLLImport
                                                                                ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext
                                                                                KERNEL32.dllCloseHandle, CopyFileA, CreateMutexA, CreateThread, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, ExitProcess, FreeLibrary, GetCurrentProcessId, GetLastError, GetModuleFileNameA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MoveFileA, MultiByteToWideChar, ReleaseMutex, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
                                                                                msvcrt.dll__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _exit, _fmode, _initterm, _lock, _onexit, _time64, _unlock, abort, atoi, calloc, exit, fclose, fopen, fprintf, fputc, free, fwrite, localeconv, malloc, memcpy, perror, rand, signal, strcpy, strerror, strlen, strncmp, strrchr, vfprintf, wcslen, _write, _open, _close
                                                                                SHELL32.dllSHGetSpecialFolderPathA
                                                                                WS2_32.dllWSACleanup, WSAGetLastError, WSASocketA, WSAStartup, bind, closesocket, connect, htons, inet_addr, inet_ntoa, ioctlsocket, ntohl, ntohs, recv, select, send, sendto, setsockopt, socket
                                                                                DescriptionData
                                                                                CompanyNameMicrosoft Corporation
                                                                                FileDescriptionHost Process for Windows Services
                                                                                FileVersion1.2.0.0
                                                                                InternalNamecbot
                                                                                LegalCopyright Microsoft Corporation. All rights reserved.
                                                                                OriginalFilenamesvchost.exe
                                                                                ProductNameMicrosoft Windows Operating System
                                                                                ProductVersion1.2.0.0
                                                                                Translation0x0409 0x04b0
                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Download Network PCAP: filteredfull

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Mar 20, 2025 03:15:07.006339073 CET4971218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:07.006366014 CET4971118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:08.009207964 CET4971118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:08.009305000 CET4971218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:10.009207964 CET4971218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:10.024804115 CET4971118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:12.509406090 CET4971818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:12.509650946 CET4971918063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:13.509182930 CET4971818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:13.509232998 CET4971918063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:15.524724007 CET4971818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:15.524837017 CET4971918063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:18.033587933 CET4972018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:18.033632994 CET4972118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:18.041104078 CET4972218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:18.041285038 CET4972318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:19.040345907 CET4972018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:19.041326046 CET4972318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:19.041362047 CET4972118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:19.041363001 CET4972218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:21.040338993 CET4972018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:21.040455103 CET4972318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:21.040467024 CET4972218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:21.040483952 CET4972118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:23.556317091 CET4973318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:23.556320906 CET4973218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:23.571906090 CET4973418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:23.572016001 CET4973518063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:24.555999994 CET4973218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:24.557214975 CET4973318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:24.587225914 CET4973418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:24.587423086 CET4973518063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:26.571635962 CET4973218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:26.571815968 CET4973318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:26.587321043 CET4973418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:26.587450981 CET4973518063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:29.071959972 CET4973618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:29.071980000 CET4973718063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:29.087593079 CET4973918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:29.087599039 CET4973818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:30.087347031 CET4973718063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:30.087378025 CET4973818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:30.087390900 CET4973618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:30.087513924 CET4973918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:32.087481022 CET4973718063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:32.087531090 CET4973618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:32.089335918 CET4973918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:32.089389086 CET4973818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:34.587649107 CET4974018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:34.588110924 CET4974118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:34.619072914 CET4974218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:34.619195938 CET4974318063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:35.587414026 CET4974018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:35.603005886 CET4974118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:35.634283066 CET4974218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:35.634325981 CET4974318063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:37.602891922 CET4974018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:37.602909088 CET4974118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:37.634165049 CET4974218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:37.634188890 CET4974318063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:40.118922949 CET4974418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:40.119108915 CET4974518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:40.150305033 CET4974718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:40.150320053 CET4974618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:41.134258032 CET4974418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:41.134367943 CET4974518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:41.165380001 CET4974718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:41.166045904 CET4974618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:43.134155989 CET4974418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:43.134263039 CET4974518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:43.165381908 CET4974718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:43.165385962 CET4974618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:45.650296926 CET4974818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:45.650393963 CET4974918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:45.665740967 CET4975018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:45.665863991 CET4975118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:46.650000095 CET4974918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:46.650003910 CET4974818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:46.665421009 CET4975018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:46.665502071 CET4975118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:48.649837971 CET4974918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:48.649842978 CET4974818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:48.665411949 CET4975018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:48.669245958 CET4975118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:51.181622982 CET4975218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:51.181624889 CET4975318063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:51.196971893 CET4975418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:51.197169065 CET4975518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:52.181113958 CET4975318063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:52.181221962 CET4975218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:52.212399960 CET4975418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:52.212405920 CET4975518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:54.196784019 CET4975318063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:54.196788073 CET4975218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:54.212397099 CET4975518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:54.212395906 CET4975418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:56.712743998 CET4975618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:56.712852955 CET4975718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:56.728214025 CET4975818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:56.728287935 CET4975918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:57.712338924 CET4975718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:57.712428093 CET4975618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:57.743707895 CET4975918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:57.743711948 CET4975818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:59.712327003 CET4975618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:15:59.713279009 CET4975718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:59.743583918 CET4975918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:15:59.743623972 CET4975818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:02.244002104 CET4976118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:02.244025946 CET4976218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:02.259493113 CET4976318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:02.259572029 CET4976418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:03.243695974 CET4976118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:03.243819952 CET4976218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:03.259330034 CET4976318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:03.259430885 CET4976418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:05.243658066 CET4976218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:05.243680000 CET4976118063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:05.259397030 CET4976318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:05.261413097 CET4976418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:07.759526014 CET4976518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:07.759754896 CET4976618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:07.775321960 CET4976718063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:07.775440931 CET4976818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:08.774842024 CET4976518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:08.774857998 CET4976718063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:08.774959087 CET4976618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:08.775269032 CET4976818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:10.774977922 CET4976618063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:10.775038958 CET4976518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:10.775304079 CET4976818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:10.775341034 CET4976718063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:13.291291952 CET4976918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:13.293302059 CET4977018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:13.306680918 CET4977118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:13.307087898 CET4977218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:14.306102037 CET4976918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:14.306129932 CET4977218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:14.306133986 CET4977018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:14.306145906 CET4977118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:16.321822882 CET4976918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:16.321826935 CET4977218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:16.321856976 CET4977018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:16.321949005 CET4977118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:18.822308064 CET4977318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:18.822323084 CET4977418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:18.837822914 CET4977518063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:18.837975979 CET4977618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:19.821892023 CET4977418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:19.822149992 CET4977318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:19.837414980 CET4977518063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:19.837466955 CET4977618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:21.821863890 CET4977318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:21.821882963 CET4977418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:21.837363005 CET4977518063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:21.837378025 CET4977618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:24.353434086 CET4977818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:24.353442907 CET4977918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:24.369005919 CET4978018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:24.369127989 CET4978118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:25.353116989 CET4977918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:25.353152037 CET4977818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:25.368765116 CET4978018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:25.368859053 CET4978118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:27.353159904 CET4977918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:27.353236914 CET4977818063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:27.384468079 CET4978118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:27.384478092 CET4978018063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:29.884665012 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:29.884783983 CET4978318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:29.885076046 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:29.885111094 CET4978518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:30.496225119 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:30.496376038 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:30.497060061 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:30.497133017 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:30.497859001 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:30.497951984 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:30.900027037 CET4978518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:30.900033951 CET4978318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:31.114994049 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:31.115197897 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:31.603064060 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:32.228137016 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:32.661345005 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:32.661845922 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:32.661884069 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:32.661921978 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:32.661953926 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:32.661963940 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:32.662019968 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:32.662587881 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:32.712454081 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:32.844933987 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:32.915644884 CET4978318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:32.915646076 CET4978518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:34.733700037 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:34.735560894 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:35.415884972 CET4978618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:35.416687012 CET4978718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:36.415559053 CET4978618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:36.431180954 CET4978718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:38.431200981 CET4978618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:38.431226969 CET4978718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:40.947312117 CET4978818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:40.947464943 CET4978918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:41.962408066 CET4978818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:41.962788105 CET4978918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:43.962449074 CET4978818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:43.962450981 CET4978918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:46.463018894 CET4979018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:46.463206053 CET4979118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:47.478082895 CET4979018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:47.480376959 CET4979118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:47.857244015 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:47.857348919 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:49.493756056 CET4979018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:49.493779898 CET4979118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:50.605289936 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:16:50.605362892 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:16:51.979130030 CET4979218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:51.982989073 CET4979318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:52.993669987 CET4979218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:52.995366096 CET4979318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:54.993665934 CET4979218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:54.993750095 CET4979318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:57.525113106 CET4979418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:57.525440931 CET4979518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:58.540611029 CET4979418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:16:58.540621042 CET4979518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:00.540576935 CET4979418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:00.540699005 CET4979518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:03.057595015 CET4979618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:03.057790995 CET4979718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:03.501610994 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:03.501822948 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:04.056226015 CET4979718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:04.056322098 CET4979618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:06.056209087 CET4979618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:06.056248903 CET4979718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:06.254950047 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:06.255017042 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:08.572304010 CET4979818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:08.572511911 CET4979918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:09.571917057 CET4979818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:09.573499918 CET4979918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:11.571959019 CET4979818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:11.572066069 CET4979918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:14.087958097 CET4980118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:14.087975025 CET4980018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:15.087486982 CET4980118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:15.087568045 CET4980018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:17.087740898 CET4980118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:17.087745905 CET4980018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:18.508191109 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:18.508269072 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:19.620471001 CET4980218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:19.621346951 CET4980318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:20.634430885 CET4980218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:20.634481907 CET4980318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:21.332353115 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:21.332406998 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:22.634499073 CET4980218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:22.637392998 CET4980318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:25.150557041 CET4980418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:25.150854111 CET4980518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:26.165652037 CET4980418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:26.165666103 CET4980518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:28.165815115 CET4980418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:28.165915966 CET4980518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:30.666399956 CET4980618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:30.666743040 CET4980718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:31.681345940 CET4980618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:31.681350946 CET4980718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:33.696970940 CET4980618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:33.697201967 CET4980718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:34.156506062 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:34.156614065 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:36.181770086 CET4980818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:36.181974888 CET4980918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:36.973136902 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:36.973444939 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:37.199387074 CET4980818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:37.199409962 CET4980918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:39.212635994 CET4980818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:39.213450909 CET4980918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:41.712946892 CET4981018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:41.713037014 CET4981118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:42.712558985 CET4981018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:42.712615013 CET4981118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:44.712572098 CET4981018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:44.713454962 CET4981118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:47.229163885 CET4981218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:47.232671976 CET4981318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:48.228267908 CET4981218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:48.243932009 CET4981318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:49.804411888 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:49.804505110 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:50.228296041 CET4981218063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:50.259547949 CET4981318063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:52.589874983 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:17:52.590007067 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:17:52.759829998 CET4981418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:52.760004997 CET4981518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:53.775096893 CET4981518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:53.775182962 CET4981418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:55.775170088 CET4981518063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:55.775244951 CET4981418063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:58.276102066 CET4981618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:58.276465893 CET4981718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:59.290730000 CET4981718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:17:59.290813923 CET4981618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:01.306354046 CET4981618063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:01.306369066 CET4981718063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:03.806684017 CET4981818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:03.807090044 CET4981918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:04.822118998 CET4981818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:04.822237968 CET4981918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:05.420552015 CET1806349782176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:18:05.421595097 CET4978218063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:18:06.837996960 CET4981818063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:06.838077068 CET4981918063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:08.239403963 CET1806349784176.65.142.252192.168.2.4
                                                                                Mar 20, 2025 03:18:08.239569902 CET4978418063192.168.2.4176.65.142.252
                                                                                Mar 20, 2025 03:18:09.338196039 CET4982018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:09.338383913 CET4982118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:10.337658882 CET4982018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:10.339520931 CET4982118063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:12.337649107 CET4982018063192.168.2.458.9.110.23
                                                                                Mar 20, 2025 03:18:12.337677956 CET4982118063192.168.2.458.9.110.23
                                                                                Target ID:0
                                                                                Start time:22:15:05
                                                                                Start date:19/03/2025
                                                                                Path:C:\Users\user\Desktop\raw_cbot.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\raw_cbot.exe"
                                                                                Imagebase:0x7ff6bd080000
                                                                                File size:61'952 bytes
                                                                                MD5 hash:9EF7EDFA24458412DD4667023FD8466B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                Target ID:1
                                                                                Start time:22:15:06
                                                                                Start date:19/03/2025
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff6ca680000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:2
                                                                                Start time:22:15:12
                                                                                Start date:19/03/2025
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                Imagebase:0x7ff6ca680000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:4
                                                                                Start time:22:15:12
                                                                                Start date:19/03/2025
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                Imagebase:0x7ff6ca680000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                Target ID:5
                                                                                Start time:22:15:12
                                                                                Start date:19/03/2025
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                Imagebase:0x7ff6ca680000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false
                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                Target ID:6
                                                                                Start time:22:15:13
                                                                                Start date:19/03/2025
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                Imagebase:0x7ff6ca680000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                Target ID:7
                                                                                Start time:22:15:16
                                                                                Start date:19/03/2025
                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
                                                                                Imagebase:0x7ff69ed60000
                                                                                File size:61'952 bytes
                                                                                MD5 hash:9EF7EDFA24458412DD4667023FD8466B
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                Target ID:9
                                                                                Start time:22:16:13
                                                                                Start date:19/03/2025
                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                Imagebase:0x7ff6fb6e0000
                                                                                File size:468'120 bytes
                                                                                MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:10
                                                                                Start time:22:16:13
                                                                                Start date:19/03/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff62fc20000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                No disassembly