Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TLH3anP3lh.exe

Overview

General Information

Sample name:TLH3anP3lh.exe
renamed because original name is a hash value
Original sample name:5a6e0971a54847d4cecc16bf7fa44bca.exe
Analysis ID:1537294
MD5:5a6e0971a54847d4cecc16bf7fa44bca
SHA1:b0b5d4f2cfe7a64addb17796ba41353c57a57f91
SHA256:b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223
Tags:exenjratRATuser-abuse_ch
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Disables zone checking for all users
Machine Learning detection for dropped file
Machine Learning detection for sample
Self deletion via cmd or bat file
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TLH3anP3lh.exe (PID: 6692 cmdline: "C:\Users\user\Desktop\TLH3anP3lh.exe" MD5: 5A6E0971A54847D4CECC16BF7FA44BCA)
    • yzbekt.exe (PID: 6972 cmdline: "C:\Users\user\AppData\Roaming\yzbekt.exe" MD5: 5A6E0971A54847D4CECC16BF7FA44BCA)
    • cmd.exe (PID: 7056 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\TLH3anP3lh.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7148 cmdline: choice /C Y /N /D Y /T 5 MD5: 1A9804F0C374283B094E9E55DC5EE128)
  • yzbekt.exe (PID: 5040 cmdline: "C:\Users\user\AppData\Roaming\yzbekt.exe" .. MD5: 5A6E0971A54847D4CECC16BF7FA44BCA)
  • yzbekt.exe (PID: 7092 cmdline: "C:\Users\user\AppData\Roaming\yzbekt.exe" .. MD5: 5A6E0971A54847D4CECC16BF7FA44BCA)
  • yzbekt.exe (PID: 2828 cmdline: "C:\Users\user\AppData\Roaming\yzbekt.exe" .. MD5: 5A6E0971A54847D4CECC16BF7FA44BCA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "0.tcp.eu.ngrok.io", "Port": "14026", "Campaign ID": "uzbek", "Version": "Platinum", "Network Seprator": "|Ghost|"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0xb7ff:$a1: get_Registry
      • 0xeb1e:$a2: SEE_MASK_NOZONECHECKS
      • 0xe8ec:$a3: Download ERROR
      • 0xec76:$a4: cmd.exe /c ping 0 -n 2 & del "
      00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmpCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0xec76:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0xdf04:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0xe90e:$s3: Executed As
      • 0xe8ec:$s6: Download ERROR
      • 0xe56a:$s7: shutdown -r -t 00
      • 0xdec6:$s8: Select * From AntiVirusProduct
      00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmpUnknown_Malware_Sample_Jul17_2Detects unknown malware sample with pastebin RAW URLFlorian Roth
      • 0xf3a2:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
      • 0xdb86:$s2: https://pastebin.com/raw/
      • 0xf8da:$s3: My.Computer
      • 0xf37c:$s4: MyTemplate
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TLH3anP3lh.exe.b90000.1.unpackJoeSecurity_NjratYara detected NjratJoe Security
        0.2.TLH3anP3lh.exe.b90000.1.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x99ff:$a1: get_Registry
        • 0xcd1e:$a2: SEE_MASK_NOZONECHECKS
        • 0xcaec:$a3: Download ERROR
        • 0xce76:$a4: cmd.exe /c ping 0 -n 2 & del "
        0.2.TLH3anP3lh.exe.b90000.1.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
        • 0xce76:$x1: cmd.exe /c ping 0 -n 2 & del "
        • 0xc104:$s1: winmgmts:\\.\root\SecurityCenter2
        • 0xcb0e:$s3: Executed As
        • 0xcaec:$s6: Download ERROR
        • 0xc76a:$s7: shutdown -r -t 00
        • 0xc0c6:$s8: Select * From AntiVirusProduct
        0.2.TLH3anP3lh.exe.b90000.1.unpackUnknown_Malware_Sample_Jul17_2Detects unknown malware sample with pastebin RAW URLFlorian Roth
        • 0xd5a2:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol
        • 0xbd86:$s2: https://pastebin.com/raw/
        • 0xdada:$s3: My.Computer
        • 0xd57c:$s4: MyTemplate
        0.2.TLH3anP3lh.exe.b90000.1.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0xcd1e:$a2: SEE_MASK_NOZONECHECKS
        • 0xcefe:$b1: [TAP]
        • 0xce76:$c3: cmd.exe /c ping
        Click to see the 12 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\yzbekt.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\yzbekt.exe, ProcessId: 6972, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yzbekt.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T19:07:15.744364+020020211761Malware Command and Control Activity Detected192.168.2.44973052.57.120.1014026TCP
        2024-10-18T19:07:18.679168+020020211761Malware Command and Control Activity Detected192.168.2.44973352.57.120.1014026TCP
        2024-10-18T19:07:21.781707+020020211761Malware Command and Control Activity Detected192.168.2.44973452.57.120.1014026TCP
        2024-10-18T19:07:24.845118+020020211761Malware Command and Control Activity Detected192.168.2.44973552.57.120.1014026TCP
        2024-10-18T19:07:27.921400+020020211761Malware Command and Control Activity Detected192.168.2.44973652.57.120.1014026TCP
        2024-10-18T19:07:31.050883+020020211761Malware Command and Control Activity Detected192.168.2.44973752.57.120.1014026TCP
        2024-10-18T19:07:34.011423+020020211761Malware Command and Control Activity Detected192.168.2.44973952.57.120.1014026TCP
        2024-10-18T19:07:37.400162+020020211761Malware Command and Control Activity Detected192.168.2.44974052.57.120.1014026TCP
        2024-10-18T19:07:40.454339+020020211761Malware Command and Control Activity Detected192.168.2.44974152.57.120.1014026TCP
        2024-10-18T19:07:43.505638+020020211761Malware Command and Control Activity Detected192.168.2.44974252.57.120.1014026TCP
        2024-10-18T19:07:46.550476+020020211761Malware Command and Control Activity Detected192.168.2.44974352.57.120.1014026TCP
        2024-10-18T19:07:49.607335+020020211761Malware Command and Control Activity Detected192.168.2.44974452.57.120.1014026TCP
        2024-10-18T19:07:52.651052+020020211761Malware Command and Control Activity Detected192.168.2.44974552.57.120.1014026TCP
        2024-10-18T19:07:55.701024+020020211761Malware Command and Control Activity Detected192.168.2.44974652.57.120.1014026TCP
        2024-10-18T19:07:58.770135+020020211761Malware Command and Control Activity Detected192.168.2.44974852.57.120.1014026TCP
        2024-10-18T19:08:01.814114+020020211761Malware Command and Control Activity Detected192.168.2.44976452.57.120.1014026TCP
        2024-10-18T19:08:05.186838+020020211761Malware Command and Control Activity Detected192.168.2.44978252.57.120.1014026TCP
        2024-10-18T19:08:07.837873+020020211761Malware Command and Control Activity Detected192.168.2.44979852.57.120.1014026TCP
        2024-10-18T19:08:10.701151+020020211761Malware Command and Control Activity Detected192.168.2.44981552.57.120.1014026TCP
        2024-10-18T19:08:13.398899+020020211761Malware Command and Control Activity Detected192.168.2.44983152.57.120.1014026TCP
        2024-10-18T19:08:15.968821+020020211761Malware Command and Control Activity Detected192.168.2.4498463.74.27.8314026TCP
        2024-10-18T19:08:18.495940+020020211761Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:20.935953+020020211761Malware Command and Control Activity Detected192.168.2.4498723.74.27.8314026TCP
        2024-10-18T19:08:23.449524+020020211761Malware Command and Control Activity Detected192.168.2.4498843.74.27.8314026TCP
        2024-10-18T19:08:26.936141+020020211761Malware Command and Control Activity Detected192.168.2.4498903.74.27.8314026TCP
        2024-10-18T19:08:30.129957+020020211761Malware Command and Control Activity Detected192.168.2.4499033.74.27.8314026TCP
        2024-10-18T19:08:37.277397+020020211761Malware Command and Control Activity Detected192.168.2.4499203.74.27.8314026TCP
        2024-10-18T19:08:42.628762+020020211761Malware Command and Control Activity Detected192.168.2.4499443.74.27.8314026TCP
        2024-10-18T19:08:49.256579+020020211761Malware Command and Control Activity Detected192.168.2.4499743.74.27.8314026TCP
        2024-10-18T19:08:55.922848+020020211761Malware Command and Control Activity Detected192.168.2.4500063.74.27.8314026TCP
        2024-10-18T19:09:08.267830+020020211761Malware Command and Control Activity Detected192.168.2.4500313.74.27.8314026TCP
        2024-10-18T19:09:15.429435+020020211761Malware Command and Control Activity Detected192.168.2.4500323.74.27.8314026TCP
        2024-10-18T19:09:21.357326+020020211761Malware Command and Control Activity Detected192.168.2.45003318.153.198.12314026TCP
        2024-10-18T19:09:27.367668+020020211761Malware Command and Control Activity Detected192.168.2.45003418.153.198.12314026TCP
        2024-10-18T19:09:32.994369+020020211761Malware Command and Control Activity Detected192.168.2.45003518.153.198.12314026TCP
        2024-10-18T19:09:41.702877+020020211761Malware Command and Control Activity Detected192.168.2.45003618.153.198.12314026TCP
        2024-10-18T19:09:47.329293+020020211761Malware Command and Control Activity Detected192.168.2.45003718.153.198.12314026TCP
        2024-10-18T19:10:09.807940+020020211761Malware Command and Control Activity Detected192.168.2.45003818.153.198.12314026TCP
        2024-10-18T19:10:17.733037+020020211761Malware Command and Control Activity Detected192.168.2.45003918.153.198.12314026TCP
        2024-10-18T19:10:25.842887+020020211761Malware Command and Control Activity Detected192.168.2.4500403.78.28.7114026TCP
        2024-10-18T19:10:32.950415+020020211761Malware Command and Control Activity Detected192.168.2.4500413.78.28.7114026TCP
        2024-10-18T19:10:41.284057+020020211761Malware Command and Control Activity Detected192.168.2.4500423.78.28.7114026TCP
        2024-10-18T19:10:57.043735+020020211761Malware Command and Control Activity Detected192.168.2.4500433.78.28.7114026TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T19:07:15.744364+020020331321Malware Command and Control Activity Detected192.168.2.44973052.57.120.1014026TCP
        2024-10-18T19:07:18.679168+020020331321Malware Command and Control Activity Detected192.168.2.44973352.57.120.1014026TCP
        2024-10-18T19:07:21.781707+020020331321Malware Command and Control Activity Detected192.168.2.44973452.57.120.1014026TCP
        2024-10-18T19:07:24.845118+020020331321Malware Command and Control Activity Detected192.168.2.44973552.57.120.1014026TCP
        2024-10-18T19:07:27.921400+020020331321Malware Command and Control Activity Detected192.168.2.44973652.57.120.1014026TCP
        2024-10-18T19:07:31.050883+020020331321Malware Command and Control Activity Detected192.168.2.44973752.57.120.1014026TCP
        2024-10-18T19:07:34.011423+020020331321Malware Command and Control Activity Detected192.168.2.44973952.57.120.1014026TCP
        2024-10-18T19:07:37.400162+020020331321Malware Command and Control Activity Detected192.168.2.44974052.57.120.1014026TCP
        2024-10-18T19:07:40.454339+020020331321Malware Command and Control Activity Detected192.168.2.44974152.57.120.1014026TCP
        2024-10-18T19:07:43.505638+020020331321Malware Command and Control Activity Detected192.168.2.44974252.57.120.1014026TCP
        2024-10-18T19:07:46.550476+020020331321Malware Command and Control Activity Detected192.168.2.44974352.57.120.1014026TCP
        2024-10-18T19:07:49.607335+020020331321Malware Command and Control Activity Detected192.168.2.44974452.57.120.1014026TCP
        2024-10-18T19:07:52.651052+020020331321Malware Command and Control Activity Detected192.168.2.44974552.57.120.1014026TCP
        2024-10-18T19:07:55.701024+020020331321Malware Command and Control Activity Detected192.168.2.44974652.57.120.1014026TCP
        2024-10-18T19:07:58.770135+020020331321Malware Command and Control Activity Detected192.168.2.44974852.57.120.1014026TCP
        2024-10-18T19:08:01.814114+020020331321Malware Command and Control Activity Detected192.168.2.44976452.57.120.1014026TCP
        2024-10-18T19:08:05.186838+020020331321Malware Command and Control Activity Detected192.168.2.44978252.57.120.1014026TCP
        2024-10-18T19:08:07.837873+020020331321Malware Command and Control Activity Detected192.168.2.44979852.57.120.1014026TCP
        2024-10-18T19:08:10.701151+020020331321Malware Command and Control Activity Detected192.168.2.44981552.57.120.1014026TCP
        2024-10-18T19:08:13.398899+020020331321Malware Command and Control Activity Detected192.168.2.44983152.57.120.1014026TCP
        2024-10-18T19:08:15.968821+020020331321Malware Command and Control Activity Detected192.168.2.4498463.74.27.8314026TCP
        2024-10-18T19:08:18.495940+020020331321Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:20.935953+020020331321Malware Command and Control Activity Detected192.168.2.4498723.74.27.8314026TCP
        2024-10-18T19:08:23.449524+020020331321Malware Command and Control Activity Detected192.168.2.4498843.74.27.8314026TCP
        2024-10-18T19:08:26.936141+020020331321Malware Command and Control Activity Detected192.168.2.4498903.74.27.8314026TCP
        2024-10-18T19:08:30.129957+020020331321Malware Command and Control Activity Detected192.168.2.4499033.74.27.8314026TCP
        2024-10-18T19:08:37.277397+020020331321Malware Command and Control Activity Detected192.168.2.4499203.74.27.8314026TCP
        2024-10-18T19:08:42.628762+020020331321Malware Command and Control Activity Detected192.168.2.4499443.74.27.8314026TCP
        2024-10-18T19:08:49.256579+020020331321Malware Command and Control Activity Detected192.168.2.4499743.74.27.8314026TCP
        2024-10-18T19:08:55.922848+020020331321Malware Command and Control Activity Detected192.168.2.4500063.74.27.8314026TCP
        2024-10-18T19:09:08.267830+020020331321Malware Command and Control Activity Detected192.168.2.4500313.74.27.8314026TCP
        2024-10-18T19:09:15.429435+020020331321Malware Command and Control Activity Detected192.168.2.4500323.74.27.8314026TCP
        2024-10-18T19:09:21.357326+020020331321Malware Command and Control Activity Detected192.168.2.45003318.153.198.12314026TCP
        2024-10-18T19:09:27.367668+020020331321Malware Command and Control Activity Detected192.168.2.45003418.153.198.12314026TCP
        2024-10-18T19:09:32.994369+020020331321Malware Command and Control Activity Detected192.168.2.45003518.153.198.12314026TCP
        2024-10-18T19:09:41.702877+020020331321Malware Command and Control Activity Detected192.168.2.45003618.153.198.12314026TCP
        2024-10-18T19:09:47.329293+020020331321Malware Command and Control Activity Detected192.168.2.45003718.153.198.12314026TCP
        2024-10-18T19:10:09.807940+020020331321Malware Command and Control Activity Detected192.168.2.45003818.153.198.12314026TCP
        2024-10-18T19:10:17.733037+020020331321Malware Command and Control Activity Detected192.168.2.45003918.153.198.12314026TCP
        2024-10-18T19:10:25.842887+020020331321Malware Command and Control Activity Detected192.168.2.4500403.78.28.7114026TCP
        2024-10-18T19:10:32.950415+020020331321Malware Command and Control Activity Detected192.168.2.4500413.78.28.7114026TCP
        2024-10-18T19:10:41.284057+020020331321Malware Command and Control Activity Detected192.168.2.4500423.78.28.7114026TCP
        2024-10-18T19:10:57.043735+020020331321Malware Command and Control Activity Detected192.168.2.4500433.78.28.7114026TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T19:07:37.969172+020028255641Malware Command and Control Activity Detected192.168.2.44974052.57.120.1014026TCP
        2024-10-18T19:07:53.192086+020028255641Malware Command and Control Activity Detected192.168.2.44974552.57.120.1014026TCP
        2024-10-18T19:08:08.439469+020028255641Malware Command and Control Activity Detected192.168.2.44979852.57.120.1014026TCP
        2024-10-18T19:08:14.088436+020028255641Malware Command and Control Activity Detected192.168.2.44983152.57.120.1014026TCP
        2024-10-18T19:08:18.633871+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:18.750385+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.159261+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.164622+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.301702+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.306975+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.352448+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.357361+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.398500+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.404545+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.440364+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:19.445259+020028255641Malware Command and Control Activity Detected192.168.2.4498603.74.27.8314026TCP
        2024-10-18T19:08:21.060831+020028255641Malware Command and Control Activity Detected192.168.2.4498723.74.27.8314026TCP
        2024-10-18T19:08:23.607647+020028255641Malware Command and Control Activity Detected192.168.2.4498843.74.27.8314026TCP
        2024-10-18T19:08:23.617149+020028255641Malware Command and Control Activity Detected192.168.2.4498843.74.27.8314026TCP
        2024-10-18T19:10:09.817843+020028255641Malware Command and Control Activity Detected192.168.2.45003818.153.198.12314026TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T19:07:15.749369+020028255631Malware Command and Control Activity Detected192.168.2.44973052.57.120.1014026TCP
        2024-10-18T19:07:18.684543+020028255631Malware Command and Control Activity Detected192.168.2.44973352.57.120.1014026TCP
        2024-10-18T19:07:21.786741+020028255631Malware Command and Control Activity Detected192.168.2.44973452.57.120.1014026TCP
        2024-10-18T19:07:24.850250+020028255631Malware Command and Control Activity Detected192.168.2.44973552.57.120.1014026TCP
        2024-10-18T19:07:27.926515+020028255631Malware Command and Control Activity Detected192.168.2.44973652.57.120.1014026TCP
        2024-10-18T19:07:31.055901+020028255631Malware Command and Control Activity Detected192.168.2.44973752.57.120.1014026TCP
        2024-10-18T19:07:34.016850+020028255631Malware Command and Control Activity Detected192.168.2.44973952.57.120.1014026TCP
        2024-10-18T19:07:37.405237+020028255631Malware Command and Control Activity Detected192.168.2.44974052.57.120.1014026TCP
        2024-10-18T19:07:40.459218+020028255631Malware Command and Control Activity Detected192.168.2.44974152.57.120.1014026TCP
        2024-10-18T19:07:43.510768+020028255631Malware Command and Control Activity Detected192.168.2.44974252.57.120.1014026TCP
        2024-10-18T19:07:46.555706+020028255631Malware Command and Control Activity Detected192.168.2.44974352.57.120.1014026TCP
        2024-10-18T19:07:49.612369+020028255631Malware Command and Control Activity Detected192.168.2.44974452.57.120.1014026TCP
        2024-10-18T19:07:52.656003+020028255631Malware Command and Control Activity Detected192.168.2.44974552.57.120.1014026TCP
        2024-10-18T19:07:55.705935+020028255631Malware Command and Control Activity Detected192.168.2.44974652.57.120.1014026TCP
        2024-10-18T19:07:58.775105+020028255631Malware Command and Control Activity Detected192.168.2.44974852.57.120.1014026TCP
        2024-10-18T19:08:01.819025+020028255631Malware Command and Control Activity Detected192.168.2.44976452.57.120.1014026TCP
        2024-10-18T19:08:05.191628+020028255631Malware Command and Control Activity Detected192.168.2.44978252.57.120.1014026TCP
        2024-10-18T19:08:07.843288+020028255631Malware Command and Control Activity Detected192.168.2.44979852.57.120.1014026TCP
        2024-10-18T19:08:10.706356+020028255631Malware Command and Control Activity Detected192.168.2.44981552.57.120.1014026TCP
        2024-10-18T19:08:13.403861+020028255631Malware Command and Control Activity Detected192.168.2.44983152.57.120.1014026TCP
        2024-10-18T19:08:49.261642+020028255631Malware Command and Control Activity Detected192.168.2.4499743.74.27.8314026TCP
        2024-10-18T19:08:55.927892+020028255631Malware Command and Control Activity Detected192.168.2.4500063.74.27.8314026TCP
        2024-10-18T19:09:08.273002+020028255631Malware Command and Control Activity Detected192.168.2.4500313.74.27.8314026TCP
        2024-10-18T19:09:15.434594+020028255631Malware Command and Control Activity Detected192.168.2.4500323.74.27.8314026TCP
        2024-10-18T19:09:21.362846+020028255631Malware Command and Control Activity Detected192.168.2.45003318.153.198.12314026TCP
        2024-10-18T19:09:27.375605+020028255631Malware Command and Control Activity Detected192.168.2.45003418.153.198.12314026TCP
        2024-10-18T19:09:32.999574+020028255631Malware Command and Control Activity Detected192.168.2.45003518.153.198.12314026TCP
        2024-10-18T19:09:47.334487+020028255631Malware Command and Control Activity Detected192.168.2.45003718.153.198.12314026TCP
        2024-10-18T19:10:09.812930+020028255631Malware Command and Control Activity Detected192.168.2.45003818.153.198.12314026TCP
        2024-10-18T19:10:17.740089+020028255631Malware Command and Control Activity Detected192.168.2.45003918.153.198.12314026TCP
        2024-10-18T19:10:32.955336+020028255631Malware Command and Control Activity Detected192.168.2.4500413.78.28.7114026TCP
        2024-10-18T19:10:57.048777+020028255631Malware Command and Control Activity Detected192.168.2.4500433.78.28.7114026TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-18T19:07:15.749369+020028384861Malware Command and Control Activity Detected192.168.2.44973052.57.120.1014026TCP
        2024-10-18T19:07:18.684543+020028384861Malware Command and Control Activity Detected192.168.2.44973352.57.120.1014026TCP
        2024-10-18T19:07:21.786741+020028384861Malware Command and Control Activity Detected192.168.2.44973452.57.120.1014026TCP
        2024-10-18T19:07:24.850250+020028384861Malware Command and Control Activity Detected192.168.2.44973552.57.120.1014026TCP
        2024-10-18T19:07:27.926515+020028384861Malware Command and Control Activity Detected192.168.2.44973652.57.120.1014026TCP
        2024-10-18T19:07:31.055901+020028384861Malware Command and Control Activity Detected192.168.2.44973752.57.120.1014026TCP
        2024-10-18T19:07:34.016850+020028384861Malware Command and Control Activity Detected192.168.2.44973952.57.120.1014026TCP
        2024-10-18T19:07:37.405237+020028384861Malware Command and Control Activity Detected192.168.2.44974052.57.120.1014026TCP
        2024-10-18T19:07:40.459218+020028384861Malware Command and Control Activity Detected192.168.2.44974152.57.120.1014026TCP
        2024-10-18T19:07:43.510768+020028384861Malware Command and Control Activity Detected192.168.2.44974252.57.120.1014026TCP
        2024-10-18T19:07:46.555706+020028384861Malware Command and Control Activity Detected192.168.2.44974352.57.120.1014026TCP
        2024-10-18T19:07:49.612369+020028384861Malware Command and Control Activity Detected192.168.2.44974452.57.120.1014026TCP
        2024-10-18T19:07:52.656003+020028384861Malware Command and Control Activity Detected192.168.2.44974552.57.120.1014026TCP
        2024-10-18T19:07:55.705935+020028384861Malware Command and Control Activity Detected192.168.2.44974652.57.120.1014026TCP
        2024-10-18T19:07:58.775105+020028384861Malware Command and Control Activity Detected192.168.2.44974852.57.120.1014026TCP
        2024-10-18T19:08:01.819025+020028384861Malware Command and Control Activity Detected192.168.2.44976452.57.120.1014026TCP
        2024-10-18T19:08:05.191628+020028384861Malware Command and Control Activity Detected192.168.2.44978252.57.120.1014026TCP
        2024-10-18T19:08:07.843288+020028384861Malware Command and Control Activity Detected192.168.2.44979852.57.120.1014026TCP
        2024-10-18T19:08:10.706356+020028384861Malware Command and Control Activity Detected192.168.2.44981552.57.120.1014026TCP
        2024-10-18T19:08:13.403861+020028384861Malware Command and Control Activity Detected192.168.2.44983152.57.120.1014026TCP
        2024-10-18T19:08:20.941125+020028384861Malware Command and Control Activity Detected192.168.2.4498723.74.27.8314026TCP
        2024-10-18T19:08:42.633922+020028384861Malware Command and Control Activity Detected192.168.2.4499443.74.27.8314026TCP
        2024-10-18T19:08:49.261642+020028384861Malware Command and Control Activity Detected192.168.2.4499743.74.27.8314026TCP
        2024-10-18T19:08:55.927892+020028384861Malware Command and Control Activity Detected192.168.2.4500063.74.27.8314026TCP
        2024-10-18T19:09:08.273002+020028384861Malware Command and Control Activity Detected192.168.2.4500313.74.27.8314026TCP
        2024-10-18T19:09:15.434594+020028384861Malware Command and Control Activity Detected192.168.2.4500323.74.27.8314026TCP
        2024-10-18T19:09:21.362846+020028384861Malware Command and Control Activity Detected192.168.2.45003318.153.198.12314026TCP
        2024-10-18T19:09:27.375605+020028384861Malware Command and Control Activity Detected192.168.2.45003418.153.198.12314026TCP
        2024-10-18T19:09:32.999574+020028384861Malware Command and Control Activity Detected192.168.2.45003518.153.198.12314026TCP
        2024-10-18T19:09:47.334487+020028384861Malware Command and Control Activity Detected192.168.2.45003718.153.198.12314026TCP
        2024-10-18T19:10:09.812930+020028384861Malware Command and Control Activity Detected192.168.2.45003818.153.198.12314026TCP
        2024-10-18T19:10:17.740089+020028384861Malware Command and Control Activity Detected192.168.2.45003918.153.198.12314026TCP
        2024-10-18T19:10:32.955336+020028384861Malware Command and Control Activity Detected192.168.2.4500413.78.28.7114026TCP
        2024-10-18T19:10:41.289043+020028384861Malware Command and Control Activity Detected192.168.2.4500423.78.28.7114026TCP
        2024-10-18T19:10:57.048777+020028384861Malware Command and Control Activity Detected192.168.2.4500433.78.28.7114026TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: TLH3anP3lh.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeAvira: detection malicious, Label: TR/Dropper.Gen
        Found malware configuration
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpackMalware Configuration Extractor: Njrat {"Host": "0.tcp.eu.ngrok.io", "Port": "14026", "Campaign ID": "uzbek", "Version": "Platinum", "Network Seprator": "|Ghost|"}
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeReversingLabs: Detection: 76%
        Multi AV Scanner detection for submitted file
        Source: TLH3anP3lh.exeReversingLabs: Detection: 76%
        Yara detected Njrat
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TLH3anP3lh.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 6972, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 5040, type: MEMORYSTR
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: TLH3anP3lh.exeJoe Sandbox ML: detected
        Source: TLH3anP3lh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dllJump to behavior
        Source: TLH3anP3lh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49734 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49737 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49741 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49737 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49748 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49748 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49736 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49742 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49742 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49737 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49737 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49742 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49742 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49741 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49736 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49745 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49744 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49744 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49733 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49734 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49733 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49733 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49733 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49734 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49734 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49739 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49798 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49739 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49798 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49740 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49739 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49798 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49739 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49736 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49736 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49744 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49744 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49741 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49735 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49735 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49746 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49746 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49740 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49735 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49735 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49798 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49745 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49740 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49746 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49746 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49741 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49730 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49745 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49798 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49730 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49782 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49782 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49740 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49748 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49815 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49748 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49815 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49740 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49782 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49745 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49815 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49743 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49743 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49764 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49764 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49815 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49745 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49743 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49743 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49764 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49782 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49846 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49846 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49860 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49860 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49884 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49884 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49764 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49872 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49872 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49890 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49884 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49872 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49872 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49890 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49860 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49903 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49920 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49831 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49831 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49831 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49944 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49944 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50031 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50031 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49903 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50035 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50036 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49831 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49920 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49831 -> 52.57.120.10:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50032 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49944 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50032 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50035 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50036 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50038 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50037 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50037 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50041 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50037 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50041 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50037 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50041 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50041 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50035 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50031 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50038 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50031 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50038 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50038 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50035 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50038 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50043 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50032 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50032 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50043 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50043 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50043 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50042 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50042 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50033 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50033 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50042 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50033 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50033 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50040 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50034 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50040 -> 3.78.28.71:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50039 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50039 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50039 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50039 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50034 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50034 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50034 -> 18.153.198.123:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49974 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49974 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:49974 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:49974 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50006 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50006 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2825563 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf) : 192.168.2.4:50006 -> 3.74.27.83:14026
        Source: Network trafficSuricata IDS: 2838486 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf) : 192.168.2.4:50006 -> 3.74.27.83:14026
        Connects to many ports of the same IP (likely port scanning)
        Source: global trafficTCP traffic: 3.74.27.83 ports 0,1,2,4,6,14026
        Source: global trafficTCP traffic: 3.78.28.71 ports 0,1,2,4,6,14026
        Source: global trafficTCP traffic: 18.153.198.123 ports 0,1,2,4,6,14026
        Source: global trafficTCP traffic: 52.57.120.10 ports 0,1,2,4,6,14026
        Yara detected Generic Downloader
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 52.57.120.10:14026
        Source: global trafficTCP traffic: 192.168.2.4:49846 -> 3.74.27.83:14026
        Source: global trafficTCP traffic: 192.168.2.4:50033 -> 18.153.198.123:14026
        Source: global trafficTCP traffic: 192.168.2.4:50040 -> 3.78.28.71:14026
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: 0.tcp.eu.ngrok.io
        Source: TLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000009.00000002.2037160604.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 0000000A.00000002.2117807016.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/EngADTbC
        Source: TLH3anP3lh.exe, 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, TLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachine

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Contains functionality to log keystrokes (.Net Source)
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, Form1.cs.Net Code: SetHook
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, kl.cs.Net Code: VKCodeToUnicode

        E-Banking Fraud

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TLH3anP3lh.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 6972, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 5040, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D000A0_2_00007FFD9B8D000A
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D05010_2_00007FFD9B8D0501
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeCode function: 8_2_00007FFD9B8E000A8_2_00007FFD9B8E000A
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeCode function: 8_2_00007FFD9B8E05018_2_00007FFD9B8E0501
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeCode function: 9_2_00007FFD9B8F003C9_2_00007FFD9B8F003C
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeCode function: 9_2_00007FFD9B8F05019_2_00007FFD9B8F0501
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeCode function: 10_2_00007FFD9B8D000A10_2_00007FFD9B8D000A
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeCode function: 10_2_00007FFD9B8D050110_2_00007FFD9B8D0501
        Source: TLH3anP3lh.exe, 00000000.00000002.1739420450.00000000008DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs TLH3anP3lh.exe
        Source: TLH3anP3lh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
        Source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
        Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: TLH3anP3lh.exeStatic PE information: Section: .reloc ZLIB complexity 0.998046875
        Source: yzbekt.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 0.998046875
        Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@11/3@4/4
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeFile created: C:\Users\user\AppData\Roaming\yzbekt.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMutant created: NULL
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMutant created: \Sessions\1\BaseNamedObjects\yzbekt.exe
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
        Source: TLH3anP3lh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: TLH3anP3lh.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: TLH3anP3lh.exeReversingLabs: Detection: 76%
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeFile read: C:\Users\user\Desktop\TLH3anP3lh.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\TLH3anP3lh.exe "C:\Users\user\Desktop\TLH3anP3lh.exe"
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: C:\Users\user\AppData\Roaming\yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe"
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\TLH3anP3lh.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 5
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" ..
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" ..
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" ..
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: C:\Users\user\AppData\Roaming\yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" Jump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\TLH3anP3lh.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 5Jump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\choice.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
        Source: TLH3anP3lh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dllJump to behavior
        Source: TLH3anP3lh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: TLH3anP3lh.exe, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
        Source: yzbekt.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D29F0 push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D2965 push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D26DD push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D2A86 push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D2B01 push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D297F push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D2B29 push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D28D2 push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeCode function: 0_2_00007FFD9B8D2AD4 push edi; retf 0_2_00007FFD9B8D2B3B
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeFile created: C:\Users\user\AppData\Roaming\yzbekt.exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yzbekt.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yzbekt.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yzbekt.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yzbekt.exeJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Self deletion via cmd or bat file
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\TLH3anP3lh.exe"
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\TLH3anP3lh.exe"Jump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: TLH3anP3lh.exe, 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, TLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000009.00000002.2037160604.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 0000000A.00000002.2117807016.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeMemory allocated: B60000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeMemory allocated: 1AAF0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 1520000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 1B3B0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 1ACB0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 1AB10000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 730000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeMemory allocated: 1A9F0000 memory commit | memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWindow / User API: threadDelayed 616Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWindow / User API: threadDelayed 3192Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWindow / User API: threadDelayed 1109Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWindow / User API: threadDelayed 1327Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWindow / User API: threadDelayed 489Jump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exe TID: 6760Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 7004Thread sleep count: 616 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 7004Thread sleep time: -616000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 1744Thread sleep count: 3192 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 1740Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 1740Thread sleep count: 35 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 1732Thread sleep count: 1109 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 1732Thread sleep time: -554500s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 7004Thread sleep count: 1327 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 7004Thread sleep time: -1327000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 1732Thread sleep count: 489 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 1732Thread sleep time: -244500s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 4564Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 6740Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exe TID: 4476Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: TLH3anP3lh.exe, 00000000.00000002.1739420450.00000000008DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
        Source: yzbekt.exe, 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxServiceM{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
        Source: yzbekt.exe, 00000001.00000002.4128490909.00000000012DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code references suspicious native API functions
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
        Source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
        Sets debug register (to hijack the execution of another thread)
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeThread register set: 6972 CF000000020Jump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: C:\Users\user\AppData\Roaming\yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" Jump to behavior
        Source: C:\Users\user\Desktop\TLH3anP3lh.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\TLH3anP3lh.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 5Jump to behavior
        Source: TLH3anP3lh.exe, 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, TLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: TLH3anP3lh.exe, 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, TLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman!ChamaFrmTerrorrr
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Disables zone checking for all users
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
        Source: TLH3anP3lh.exe, 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, TLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000009.00000002.2037160604.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 0000000A.00000002.2117807016.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Wireshark.exe
        Source: yzbekt.exe, 00000001.00000002.4141932615.000000001BEF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: les%\Windows Defender\MsMpeng.exe
        Source: yzbekt.exe, 00000001.00000002.4211633544.0000000022958000.00000004.00000020.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4128490909.000000000132D000.00000004.00000020.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4141932615.000000001BF30000.00000004.00000020.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4141932615.000000001BEF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: yzbekt.exe, 00000001.00000002.4182424126.0000000021380000.00000004.00000020.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4293676793.0000000024BC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amFiles%\Windows Defender\MsMpeng.exe
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
        Source: C:\Users\user\AppData\Roaming\yzbekt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TLH3anP3lh.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 6972, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 5040, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.TLH3anP3lh.exe.b90000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: TLH3anP3lh.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 6972, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: yzbekt.exe PID: 5040, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        Registry Run Keys / Startup Folder        		112
        Process Injection        		1
        Masquerading        		1
        Input Capture        		221
        Security Software Discovery        		Remote Services1
        Input Capture        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API        		1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		11
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
        Software Packing        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        File Deletion        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537294 Sample: TLH3anP3lh.exe Startdate: 18/10/2024 Architecture: WINDOWS Score: 100 32 0.tcp.eu.ngrok.io 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 9 other signatures 2->46 8 TLH3anP3lh.exe 1 7 2->8         started        12 yzbekt.exe 3 2->12         started        14 yzbekt.exe 2 2->14         started        16 yzbekt.exe 2 2->16         started        signatures3 process4 file5 28 C:\Users\user\AppData\Roaming\yzbekt.exe, MS-DOS 8->28 dropped 30 C:\Users\user\AppData\...\TLH3anP3lh.exe.log, ASCII 8->30 dropped 56 Self deletion via cmd or bat file 8->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->58 18 yzbekt.exe 4 4 8->18         started        22 cmd.exe 1 8->22         started        signatures6 process7 dnsIp8 34 18.153.198.123, 14026, 50033, 50034 AMAZON-02US United States 18->34 36 3.74.27.83, 14026, 49846, 49860 AMAZON-02US United States 18->36 38 2 other IPs or domains 18->38 48 Antivirus detection for dropped file 18->48 50 Multi AV Scanner detection for dropped file 18->50 52 Machine Learning detection for dropped file 18->52 54 2 other signatures 18->54 24 conhost.exe 22->24         started        26 choice.exe 1 22->26         started        signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        TLH3anP3lh.exe76%ReversingLabsByteCode-MSIL.Trojan.KillMbr
        TLH3anP3lh.exe100%AviraTR/Dropper.Gen
        TLH3anP3lh.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\yzbekt.exe100%AviraTR/Dropper.Gen
        C:\Users\user\AppData\Roaming\yzbekt.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\yzbekt.exe76%ReversingLabsByteCode-MSIL.Trojan.KillMbr

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        0.tcp.eu.ngrok.io
        		52.57.120.10
        		truetrue
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://pastebin.com/raw/EngADTbC=MicrosoftEdgeUpdateTaskMachineTLH3anP3lh.exe, 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, TLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            https://pastebin.com/raw/EngADTbCTLH3anP3lh.exe, 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 00000009.00000002.2037160604.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, yzbekt.exe, 0000000A.00000002.2117807016.0000000002A0F000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              3.78.28.71
              		unknownUnited States
              		16509AMAZON-02UStrue
              3.74.27.83
              		unknownUnited States
              		16509AMAZON-02UStrue
              18.153.198.123
              		unknownUnited States
              		16509AMAZON-02UStrue
              52.57.120.10
              		0.tcp.eu.ngrok.ioUnited States
              		16509AMAZON-02UStrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1537294
              Start date and time:2024-10-18 19:06:07 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 11s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:12
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:TLH3anP3lh.exe
              renamed because original name is a hash value
              Original Sample Name:5a6e0971a54847d4cecc16bf7fa44bca.exe
              Detection:MAL
              Classification:mal100.phis.troj.spyw.evad.winEXE@11/3@4/4
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 26
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target TLH3anP3lh.exe, PID 6692 because it is empty
              • Execution Graph export aborted for target yzbekt.exe, PID 2828 because it is empty
              • Execution Graph export aborted for target yzbekt.exe, PID 5040 because it is empty
              • Execution Graph export aborted for target yzbekt.exe, PID 7092 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtEnumerateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.
              • VT rate limit hit for: TLH3anP3lh.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:07:15API Interceptor377834x Sleep call for process: yzbekt.exe modified
              18:07:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" ..
              18:07:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" ..
              18:07:30AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run yzbekt.exe "C:\Users\user\AppData\Roaming\yzbekt.exe" ..

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              3.78.28.71r0FS3r7Ore.exeGet hashmaliciousNjratBrowse
                lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                  4zeGOaTirn.exeGet hashmaliciousNjratBrowse
                    3.74.27.83r0FS3r7Ore.exeGet hashmaliciousNjratBrowse
                      OLHskBFtS1.exeGet hashmaliciousNjratBrowse
                        lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                          18.153.198.123OLHskBFtS1.exeGet hashmaliciousNjratBrowse
                            tjK8Z8Q3JH.exeGet hashmaliciousNjratBrowse
                              4zeGOaTirn.exeGet hashmaliciousNjratBrowse
                                52.57.120.10lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                                  tjK8Z8Q3JH.exeGet hashmaliciousNjratBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    0.tcp.eu.ngrok.ior0FS3r7Ore.exeGet hashmaliciousNjratBrowse
                                    • 3.74.27.83
                                    OLHskBFtS1.exeGet hashmaliciousNjratBrowse
                                    • 3.74.27.83
                                    lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                                    • 18.192.31.30
                                    tjK8Z8Q3JH.exeGet hashmaliciousNjratBrowse
                                    • 18.153.198.123
                                    4zeGOaTirn.exeGet hashmaliciousNjratBrowse
                                    • 3.78.28.71
                                    C9zGTJBy3T.exeGet hashmaliciousNjratBrowse
                                    • 3.125.209.94
                                    7UpMyeV5pj.exeGet hashmaliciousNjratBrowse
                                    • 3.124.142.205
                                    7tjt3u68PZ.exeGet hashmaliciousNjratBrowse
                                    • 3.125.209.94
                                    kOBRIUczY0.exeGet hashmaliciousNjratBrowse
                                    • 3.125.102.39
                                    QbkuoGa4nm.exeGet hashmaliciousNjratBrowse
                                    • 3.125.223.134

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    AMAZON-02USfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 52.222.236.23
                                    Revised Agreement-59176786.pdfGet hashmaliciousCaptcha PhishBrowse
                                    • 13.224.189.65
                                    https://t.ly/li69FGet hashmaliciousUnknownBrowse
                                    • 76.76.21.22
                                    https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1Get hashmaliciousUnknownBrowse
                                    • 52.217.121.241
                                    2RXgLC0ir2.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 18.255.231.180
                                    carly.joseph@everbridge.com.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 99.81.224.135
                                    https://www.cognitoforms.com/f/Bj0I4KTKbkCO-wVp9VSRWQ/1Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.5
                                    https://www.canva.com/design/DAGT2vOBNY8/p-tSk-DRXUJ7qPwl8mMJiw/view?utm_content=DAGT2vOBNY8&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                    • 54.246.144.89
                                    https://docsend.com/view/63jvhxyyj7pwxergGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.33
                                    NdEIhUToOm.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                    • 45.112.123.227
                                    AMAZON-02USfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 52.222.236.23
                                    Revised Agreement-59176786.pdfGet hashmaliciousCaptcha PhishBrowse
                                    • 13.224.189.65
                                    https://t.ly/li69FGet hashmaliciousUnknownBrowse
                                    • 76.76.21.22
                                    https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1Get hashmaliciousUnknownBrowse
                                    • 52.217.121.241
                                    2RXgLC0ir2.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 18.255.231.180
                                    carly.joseph@everbridge.com.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 99.81.224.135
                                    https://www.cognitoforms.com/f/Bj0I4KTKbkCO-wVp9VSRWQ/1Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.5
                                    https://www.canva.com/design/DAGT2vOBNY8/p-tSk-DRXUJ7qPwl8mMJiw/view?utm_content=DAGT2vOBNY8&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                    • 54.246.144.89
                                    https://docsend.com/view/63jvhxyyj7pwxergGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.33
                                    NdEIhUToOm.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                    • 45.112.123.227
                                    AMAZON-02USfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 52.222.236.23
                                    Revised Agreement-59176786.pdfGet hashmaliciousCaptcha PhishBrowse
                                    • 13.224.189.65
                                    https://t.ly/li69FGet hashmaliciousUnknownBrowse
                                    • 76.76.21.22
                                    https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1Get hashmaliciousUnknownBrowse
                                    • 52.217.121.241
                                    2RXgLC0ir2.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 18.255.231.180
                                    carly.joseph@everbridge.com.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 99.81.224.135
                                    https://www.cognitoforms.com/f/Bj0I4KTKbkCO-wVp9VSRWQ/1Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.5
                                    https://www.canva.com/design/DAGT2vOBNY8/p-tSk-DRXUJ7qPwl8mMJiw/view?utm_content=DAGT2vOBNY8&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                    • 54.246.144.89
                                    https://docsend.com/view/63jvhxyyj7pwxergGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.33
                                    NdEIhUToOm.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                    • 45.112.123.227
                                    AMAZON-02USfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                    • 52.222.236.23
                                    Revised Agreement-59176786.pdfGet hashmaliciousCaptcha PhishBrowse
                                    • 13.224.189.65
                                    https://t.ly/li69FGet hashmaliciousUnknownBrowse
                                    • 76.76.21.22
                                    https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1Get hashmaliciousUnknownBrowse
                                    • 52.217.121.241
                                    2RXgLC0ir2.elfGet hashmaliciousMirai, MoobotBrowse
                                    • 18.255.231.180
                                    carly.joseph@everbridge.com.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 99.81.224.135
                                    https://www.cognitoforms.com/f/Bj0I4KTKbkCO-wVp9VSRWQ/1Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.5
                                    https://www.canva.com/design/DAGT2vOBNY8/p-tSk-DRXUJ7qPwl8mMJiw/view?utm_content=DAGT2vOBNY8&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                    • 54.246.144.89
                                    https://docsend.com/view/63jvhxyyj7pwxergGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                    • 18.245.31.33
                                    NdEIhUToOm.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                    • 45.112.123.227

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\TLH3anP3lh.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\TLH3anP3lh.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):525
                                    Entropy (8bit):5.276808582119191
                                    Encrypted:false
                                    SSDEEP:12:Q3LaJVV+0kZs1B01ku9EZv4hk70/92v/l9tv:MLUGuRMOlT
                                    MD5:00F8672018D624935F7310D1C3DA595E
                                    SHA1:AC7890A643DF31BC3BB09053B8DE4D9368B672B2
                                    SHA-256:A7092B2AC70BB6E01050F3AE3DE5C1FF9D75A2775A0B07A37387493A2DF84664
                                    SHA-512:E5A2E0F177BFCA6C41054BAF3BFD9AA3287C7385C0DDDC1F942D642B8C232AD2AF1956009B08A822ABF42319BCFCFD163D3EB6CF13466727FCABFE32D2226FBC
                                    Malicious:true
                                    Reputation:moderate, very likely benign file
                                    Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\60bcd4094a2a6aa9ef85662f2bad1392\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\4bbfa2b2d090d47bd2f1e96192ff5526\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\cb818943a42d691b19f93868cb8bd2f5\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\f0aacd5090fc549bb15eb72893ee321d\Microsoft.VisualBasic.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\yzbekt.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\yzbekt.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):525
                                    Entropy (8bit):5.276808582119191
                                    Encrypted:false
                                    SSDEEP:12:Q3LaJVV+0kZs1B01ku9EZv4hk70/92v/l9tv:MLUGuRMOlT
                                    MD5:00F8672018D624935F7310D1C3DA595E
                                    SHA1:AC7890A643DF31BC3BB09053B8DE4D9368B672B2
                                    SHA-256:A7092B2AC70BB6E01050F3AE3DE5C1FF9D75A2775A0B07A37387493A2DF84664
                                    SHA-512:E5A2E0F177BFCA6C41054BAF3BFD9AA3287C7385C0DDDC1F942D642B8C232AD2AF1956009B08A822ABF42319BCFCFD163D3EB6CF13466727FCABFE32D2226FBC
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\60bcd4094a2a6aa9ef85662f2bad1392\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\4bbfa2b2d090d47bd2f1e96192ff5526\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\cb818943a42d691b19f93868cb8bd2f5\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\f0aacd5090fc549bb15eb72893ee321d\Microsoft.VisualBasic.ni.dll",0..

                                    C:\Users\user\AppData\Roaming\yzbekt.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\TLH3anP3lh.exe
                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Category:dropped
                                    Size (bytes):40916
                                    Entropy (8bit):7.366448665714686
                                    Encrypted:false
                                    SSDEEP:768:VvAl92nMe/UYPlfk4l3QYp6LxybXDIAfjP/m/NyE3NSTM8udmmBDnu:i4DzPlfk4JQm6L47BfbIyzM8udmmFu
                                    MD5:5A6E0971A54847D4CECC16BF7FA44BCA
                                    SHA1:B0B5D4F2CFE7A64ADDB17796BA41353C57A57F91
                                    SHA-256:B44B1273D8B923127C0F5279CB143ABF156CDA0B03D083F8424C54EC4BBB7223
                                    SHA-512:90362F72A78C257EBA31A9BC5089D02DB626A985F78D5EC8F97DADD743EF4C2B9FC434F318FAEA27D0E41E03CDDEEC94536F5BCD29A1FF77F14FE2D44A8B823E
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 76%
                                    Reputation:low
                                    Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@..@....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                    Static File Info

                                    General

                                    File type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                    Entropy (8bit):7.366448665714686
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:TLH3anP3lh.exe
                                    File size:40'916 bytes
                                    MD5:5a6e0971a54847d4cecc16bf7fa44bca
                                    SHA1:b0b5d4f2cfe7a64addb17796ba41353c57a57f91
                                    SHA256:b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223
                                    SHA512:90362f72a78c257eba31a9bc5089d02db626a985f78d5ec8f97dadd743ef4c2b9fc434f318faea27d0e41e03cddeec94536f5bcd29a1ff77f14fe2d44a8b823e
                                    SSDEEP:768:VvAl92nMe/UYPlfk4l3QYp6LxybXDIAfjP/m/NyE3NSTM8udmmBDnu:i4DzPlfk4JQm6L47BfbIyzM8udmmFu
                                    TLSH:E603F11BC74B82B7D025987B4B3392C8E73FE414A5AE5F7D00C85E3D9F53A8006A6A56
                                    File Content Preview:MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@..@....................`.............................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x402e5e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x4D0126CB [Thu Dec 9 18:58:19 2010 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0c0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x240.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xe640x100067a16ac29b5cad6137f7cde274f36178False0.545166015625data5.268030641747023IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x40000x2400x40079f2d97552a2143b0d4aad15e30e7192False0.30078125data3.5362123075490928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x60000xc0x20054075bb846c0b848677202143f47b50eFalse0.998046875data6.526587223751109IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_MANIFEST0x40580x1e7XML 1.0 document, ASCII text, with CRLF line terminators0.5338809034907598

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-18T19:07:15.744364+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973052.57.120.1014026TCP
                                    2024-10-18T19:07:15.744364+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973052.57.120.1014026TCP
                                    2024-10-18T19:07:15.749369+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44973052.57.120.1014026TCP
                                    2024-10-18T19:07:15.749369+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44973052.57.120.1014026TCP
                                    2024-10-18T19:07:18.679168+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973352.57.120.1014026TCP
                                    2024-10-18T19:07:18.679168+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973352.57.120.1014026TCP
                                    2024-10-18T19:07:18.684543+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44973352.57.120.1014026TCP
                                    2024-10-18T19:07:18.684543+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44973352.57.120.1014026TCP
                                    2024-10-18T19:07:21.781707+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973452.57.120.1014026TCP
                                    2024-10-18T19:07:21.781707+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973452.57.120.1014026TCP
                                    2024-10-18T19:07:21.786741+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44973452.57.120.1014026TCP
                                    2024-10-18T19:07:21.786741+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44973452.57.120.1014026TCP
                                    2024-10-18T19:07:24.845118+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973552.57.120.1014026TCP
                                    2024-10-18T19:07:24.845118+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973552.57.120.1014026TCP
                                    2024-10-18T19:07:24.850250+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44973552.57.120.1014026TCP
                                    2024-10-18T19:07:24.850250+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44973552.57.120.1014026TCP
                                    2024-10-18T19:07:27.921400+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973652.57.120.1014026TCP
                                    2024-10-18T19:07:27.921400+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973652.57.120.1014026TCP
                                    2024-10-18T19:07:27.926515+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44973652.57.120.1014026TCP
                                    2024-10-18T19:07:27.926515+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44973652.57.120.1014026TCP
                                    2024-10-18T19:07:31.050883+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973752.57.120.1014026TCP
                                    2024-10-18T19:07:31.050883+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973752.57.120.1014026TCP
                                    2024-10-18T19:07:31.055901+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44973752.57.120.1014026TCP
                                    2024-10-18T19:07:31.055901+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44973752.57.120.1014026TCP
                                    2024-10-18T19:07:34.011423+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44973952.57.120.1014026TCP
                                    2024-10-18T19:07:34.011423+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44973952.57.120.1014026TCP
                                    2024-10-18T19:07:34.016850+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44973952.57.120.1014026TCP
                                    2024-10-18T19:07:34.016850+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44973952.57.120.1014026TCP
                                    2024-10-18T19:07:37.400162+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974052.57.120.1014026TCP
                                    2024-10-18T19:07:37.400162+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974052.57.120.1014026TCP
                                    2024-10-18T19:07:37.405237+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974052.57.120.1014026TCP
                                    2024-10-18T19:07:37.405237+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974052.57.120.1014026TCP
                                    2024-10-18T19:07:37.969172+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44974052.57.120.1014026TCP
                                    2024-10-18T19:07:40.454339+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974152.57.120.1014026TCP
                                    2024-10-18T19:07:40.454339+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974152.57.120.1014026TCP
                                    2024-10-18T19:07:40.459218+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974152.57.120.1014026TCP
                                    2024-10-18T19:07:40.459218+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974152.57.120.1014026TCP
                                    2024-10-18T19:07:43.505638+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974252.57.120.1014026TCP
                                    2024-10-18T19:07:43.505638+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974252.57.120.1014026TCP
                                    2024-10-18T19:07:43.510768+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974252.57.120.1014026TCP
                                    2024-10-18T19:07:43.510768+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974252.57.120.1014026TCP
                                    2024-10-18T19:07:46.550476+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974352.57.120.1014026TCP
                                    2024-10-18T19:07:46.550476+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974352.57.120.1014026TCP
                                    2024-10-18T19:07:46.555706+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974352.57.120.1014026TCP
                                    2024-10-18T19:07:46.555706+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974352.57.120.1014026TCP
                                    2024-10-18T19:07:49.607335+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974452.57.120.1014026TCP
                                    2024-10-18T19:07:49.607335+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974452.57.120.1014026TCP
                                    2024-10-18T19:07:49.612369+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974452.57.120.1014026TCP
                                    2024-10-18T19:07:49.612369+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974452.57.120.1014026TCP
                                    2024-10-18T19:07:52.651052+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974552.57.120.1014026TCP
                                    2024-10-18T19:07:52.651052+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974552.57.120.1014026TCP
                                    2024-10-18T19:07:52.656003+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974552.57.120.1014026TCP
                                    2024-10-18T19:07:52.656003+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974552.57.120.1014026TCP
                                    2024-10-18T19:07:53.192086+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44974552.57.120.1014026TCP
                                    2024-10-18T19:07:55.701024+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974652.57.120.1014026TCP
                                    2024-10-18T19:07:55.701024+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974652.57.120.1014026TCP
                                    2024-10-18T19:07:55.705935+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974652.57.120.1014026TCP
                                    2024-10-18T19:07:55.705935+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974652.57.120.1014026TCP
                                    2024-10-18T19:07:58.770135+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44974852.57.120.1014026TCP
                                    2024-10-18T19:07:58.770135+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44974852.57.120.1014026TCP
                                    2024-10-18T19:07:58.775105+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44974852.57.120.1014026TCP
                                    2024-10-18T19:07:58.775105+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44974852.57.120.1014026TCP
                                    2024-10-18T19:08:01.814114+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44976452.57.120.1014026TCP
                                    2024-10-18T19:08:01.814114+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44976452.57.120.1014026TCP
                                    2024-10-18T19:08:01.819025+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44976452.57.120.1014026TCP
                                    2024-10-18T19:08:01.819025+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44976452.57.120.1014026TCP
                                    2024-10-18T19:08:05.186838+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44978252.57.120.1014026TCP
                                    2024-10-18T19:08:05.186838+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44978252.57.120.1014026TCP
                                    2024-10-18T19:08:05.191628+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44978252.57.120.1014026TCP
                                    2024-10-18T19:08:05.191628+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44978252.57.120.1014026TCP
                                    2024-10-18T19:08:07.837873+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44979852.57.120.1014026TCP
                                    2024-10-18T19:08:07.837873+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44979852.57.120.1014026TCP
                                    2024-10-18T19:08:07.843288+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44979852.57.120.1014026TCP
                                    2024-10-18T19:08:07.843288+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44979852.57.120.1014026TCP
                                    2024-10-18T19:08:08.439469+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44979852.57.120.1014026TCP
                                    2024-10-18T19:08:10.701151+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44981552.57.120.1014026TCP
                                    2024-10-18T19:08:10.701151+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44981552.57.120.1014026TCP
                                    2024-10-18T19:08:10.706356+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44981552.57.120.1014026TCP
                                    2024-10-18T19:08:10.706356+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44981552.57.120.1014026TCP
                                    2024-10-18T19:08:13.398899+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.44983152.57.120.1014026TCP
                                    2024-10-18T19:08:13.398899+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.44983152.57.120.1014026TCP
                                    2024-10-18T19:08:13.403861+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.44983152.57.120.1014026TCP
                                    2024-10-18T19:08:13.403861+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.44983152.57.120.1014026TCP
                                    2024-10-18T19:08:14.088436+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.44983152.57.120.1014026TCP
                                    2024-10-18T19:08:15.968821+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4498463.74.27.8314026TCP
                                    2024-10-18T19:08:15.968821+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4498463.74.27.8314026TCP
                                    2024-10-18T19:08:18.495940+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:18.495940+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:18.633871+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:18.750385+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.159261+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.164622+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.301702+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.306975+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.352448+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.357361+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.398500+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.404545+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.440364+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:19.445259+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498603.74.27.8314026TCP
                                    2024-10-18T19:08:20.935953+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4498723.74.27.8314026TCP
                                    2024-10-18T19:08:20.935953+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4498723.74.27.8314026TCP
                                    2024-10-18T19:08:20.941125+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4498723.74.27.8314026TCP
                                    2024-10-18T19:08:21.060831+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498723.74.27.8314026TCP
                                    2024-10-18T19:08:23.449524+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4498843.74.27.8314026TCP
                                    2024-10-18T19:08:23.449524+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4498843.74.27.8314026TCP
                                    2024-10-18T19:08:23.607647+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498843.74.27.8314026TCP
                                    2024-10-18T19:08:23.617149+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.4498843.74.27.8314026TCP
                                    2024-10-18T19:08:26.936141+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4498903.74.27.8314026TCP
                                    2024-10-18T19:08:26.936141+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4498903.74.27.8314026TCP
                                    2024-10-18T19:08:30.129957+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4499033.74.27.8314026TCP
                                    2024-10-18T19:08:30.129957+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4499033.74.27.8314026TCP
                                    2024-10-18T19:08:37.277397+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4499203.74.27.8314026TCP
                                    2024-10-18T19:08:37.277397+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4499203.74.27.8314026TCP
                                    2024-10-18T19:08:42.628762+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4499443.74.27.8314026TCP
                                    2024-10-18T19:08:42.628762+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4499443.74.27.8314026TCP
                                    2024-10-18T19:08:42.633922+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4499443.74.27.8314026TCP
                                    2024-10-18T19:08:49.256579+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4499743.74.27.8314026TCP
                                    2024-10-18T19:08:49.256579+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4499743.74.27.8314026TCP
                                    2024-10-18T19:08:49.261642+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.4499743.74.27.8314026TCP
                                    2024-10-18T19:08:49.261642+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4499743.74.27.8314026TCP
                                    2024-10-18T19:08:55.922848+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4500063.74.27.8314026TCP
                                    2024-10-18T19:08:55.922848+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4500063.74.27.8314026TCP
                                    2024-10-18T19:08:55.927892+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.4500063.74.27.8314026TCP
                                    2024-10-18T19:08:55.927892+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4500063.74.27.8314026TCP
                                    2024-10-18T19:09:08.267830+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4500313.74.27.8314026TCP
                                    2024-10-18T19:09:08.267830+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4500313.74.27.8314026TCP
                                    2024-10-18T19:09:08.273002+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.4500313.74.27.8314026TCP
                                    2024-10-18T19:09:08.273002+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4500313.74.27.8314026TCP
                                    2024-10-18T19:09:15.429435+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4500323.74.27.8314026TCP
                                    2024-10-18T19:09:15.429435+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4500323.74.27.8314026TCP
                                    2024-10-18T19:09:15.434594+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.4500323.74.27.8314026TCP
                                    2024-10-18T19:09:15.434594+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4500323.74.27.8314026TCP
                                    2024-10-18T19:09:21.357326+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45003318.153.198.12314026TCP
                                    2024-10-18T19:09:21.357326+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45003318.153.198.12314026TCP
                                    2024-10-18T19:09:21.362846+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.45003318.153.198.12314026TCP
                                    2024-10-18T19:09:21.362846+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.45003318.153.198.12314026TCP
                                    2024-10-18T19:09:27.367668+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45003418.153.198.12314026TCP
                                    2024-10-18T19:09:27.367668+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45003418.153.198.12314026TCP
                                    2024-10-18T19:09:27.375605+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.45003418.153.198.12314026TCP
                                    2024-10-18T19:09:27.375605+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.45003418.153.198.12314026TCP
                                    2024-10-18T19:09:32.994369+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45003518.153.198.12314026TCP
                                    2024-10-18T19:09:32.994369+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45003518.153.198.12314026TCP
                                    2024-10-18T19:09:32.999574+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.45003518.153.198.12314026TCP
                                    2024-10-18T19:09:32.999574+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.45003518.153.198.12314026TCP
                                    2024-10-18T19:09:41.702877+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45003618.153.198.12314026TCP
                                    2024-10-18T19:09:41.702877+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45003618.153.198.12314026TCP
                                    2024-10-18T19:09:47.329293+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45003718.153.198.12314026TCP
                                    2024-10-18T19:09:47.329293+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45003718.153.198.12314026TCP
                                    2024-10-18T19:09:47.334487+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.45003718.153.198.12314026TCP
                                    2024-10-18T19:09:47.334487+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.45003718.153.198.12314026TCP
                                    2024-10-18T19:10:09.807940+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45003818.153.198.12314026TCP
                                    2024-10-18T19:10:09.807940+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45003818.153.198.12314026TCP
                                    2024-10-18T19:10:09.812930+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.45003818.153.198.12314026TCP
                                    2024-10-18T19:10:09.812930+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.45003818.153.198.12314026TCP
                                    2024-10-18T19:10:09.817843+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.45003818.153.198.12314026TCP
                                    2024-10-18T19:10:17.733037+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.45003918.153.198.12314026TCP
                                    2024-10-18T19:10:17.733037+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.45003918.153.198.12314026TCP
                                    2024-10-18T19:10:17.740089+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.45003918.153.198.12314026TCP
                                    2024-10-18T19:10:17.740089+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.45003918.153.198.12314026TCP
                                    2024-10-18T19:10:25.842887+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4500403.78.28.7114026TCP
                                    2024-10-18T19:10:25.842887+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4500403.78.28.7114026TCP
                                    2024-10-18T19:10:32.950415+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4500413.78.28.7114026TCP
                                    2024-10-18T19:10:32.950415+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4500413.78.28.7114026TCP
                                    2024-10-18T19:10:32.955336+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.4500413.78.28.7114026TCP
                                    2024-10-18T19:10:32.955336+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4500413.78.28.7114026TCP
                                    2024-10-18T19:10:41.284057+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4500423.78.28.7114026TCP
                                    2024-10-18T19:10:41.284057+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4500423.78.28.7114026TCP
                                    2024-10-18T19:10:41.289043+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4500423.78.28.7114026TCP
                                    2024-10-18T19:10:57.043735+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.4500433.78.28.7114026TCP
                                    2024-10-18T19:10:57.043735+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.4500433.78.28.7114026TCP
                                    2024-10-18T19:10:57.048777+02002825563ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (inf)1192.168.2.4500433.78.28.7114026TCP
                                    2024-10-18T19:10:57.048777+02002838486ETPRO MALWARE njRAT/Bladabindi Variant CnC Activity (inf)1192.168.2.4500433.78.28.7114026TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 18, 2024 19:07:15.525288105 CEST4973014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:15.530383110 CEST140264973052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:15.530457973 CEST4973014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:15.744364023 CEST4973014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:15.749300957 CEST140264973052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:15.749368906 CEST4973014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:15.754273891 CEST140264973052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:16.613874912 CEST140264973052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:16.613991976 CEST4973014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:18.625660896 CEST4973014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:18.627044916 CEST4973314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:18.644897938 CEST140264973052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:18.644954920 CEST140264973352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:18.645148039 CEST4973314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:18.679167986 CEST4973314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:18.684453011 CEST140264973352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:18.684542894 CEST4973314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:18.690376043 CEST140264973352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:19.723984003 CEST140264973352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:19.725331068 CEST4973314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:21.734536886 CEST4973314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:21.735604048 CEST4973414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:21.739733934 CEST140264973352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:21.740597963 CEST140264973452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:21.740731955 CEST4973414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:21.781707048 CEST4973414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:21.786580086 CEST140264973452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:21.786741018 CEST4973414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:21.791542053 CEST140264973452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:22.782145977 CEST140264973452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:22.782229900 CEST4973414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:24.797185898 CEST4973414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:24.798541069 CEST4973514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:24.802349091 CEST140264973452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:24.803704977 CEST140264973552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:24.803778887 CEST4973514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:24.845118046 CEST4973514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:24.850173950 CEST140264973552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:24.850250006 CEST4973514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:24.855110884 CEST140264973552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:25.838392973 CEST140264973552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:25.839479923 CEST4973514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:27.844549894 CEST4973514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:27.845747948 CEST4973614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:27.849680901 CEST140264973552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:27.850749016 CEST140264973652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:27.850850105 CEST4973614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:27.921400070 CEST4973614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:27.926426888 CEST140264973652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:27.926515102 CEST4973614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:27.932400942 CEST140264973652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:28.895534992 CEST140264973652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:28.897393942 CEST4973614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:30.924223900 CEST4973614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:30.925064087 CEST4973714026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:30.929590940 CEST140264973652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:30.930001020 CEST140264973752.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:30.930092096 CEST4973714026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:31.050883055 CEST4973714026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:31.055838108 CEST140264973752.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:31.055901051 CEST4973714026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:31.060781002 CEST140264973752.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:31.952408075 CEST140264973752.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:31.952549934 CEST4973714026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:33.953491926 CEST4973714026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:33.954622984 CEST4973914026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:33.958846092 CEST140264973752.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:33.959599972 CEST140264973952.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:33.959708929 CEST4973914026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:34.011423111 CEST4973914026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:34.016748905 CEST140264973952.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:34.016849995 CEST4973914026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:34.021775007 CEST140264973952.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:35.344702959 CEST140264973952.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:35.344774008 CEST4973914026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:37.359761953 CEST4973914026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:37.361260891 CEST4974014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:37.365055084 CEST140264973952.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:37.366188049 CEST140264974052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:37.366262913 CEST4974014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:37.400161982 CEST4974014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:37.405143976 CEST140264974052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:37.405236959 CEST4974014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:37.410130978 CEST140264974052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:37.969172001 CEST4974014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:37.974231958 CEST140264974052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:38.415518999 CEST140264974052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:38.415580034 CEST4974014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:40.422005892 CEST4974014026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:40.422770977 CEST4974114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:40.427027941 CEST140264974052.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:40.427719116 CEST140264974152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:40.427798033 CEST4974114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:40.454339027 CEST4974114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:40.459172964 CEST140264974152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:40.459218025 CEST4974114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:40.464137077 CEST140264974152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:41.457425117 CEST140264974152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:41.457571030 CEST4974114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:43.469080925 CEST4974114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:43.470036030 CEST4974214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:43.474462986 CEST140264974152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:43.474870920 CEST140264974252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:43.474931955 CEST4974214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:43.505637884 CEST4974214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:43.510689974 CEST140264974252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:43.510767937 CEST4974214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:43.515887976 CEST140264974252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:44.511960983 CEST140264974252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:44.512042999 CEST4974214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:46.515996933 CEST4974214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:46.516551018 CEST4974314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:46.521061897 CEST140264974252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:46.521660089 CEST140264974352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:46.521737099 CEST4974314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:46.550476074 CEST4974314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:46.555413961 CEST140264974352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:46.555706024 CEST4974314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:46.560589075 CEST140264974352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:47.565320015 CEST140264974352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:47.565418959 CEST4974314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:49.578377008 CEST4974314026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:49.579163074 CEST4974414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:49.583533049 CEST140264974352.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:49.584296942 CEST140264974452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:49.584392071 CEST4974414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:49.607335091 CEST4974414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:49.612282991 CEST140264974452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:49.612369061 CEST4974414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:49.617259979 CEST140264974452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:50.604723930 CEST140264974452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:50.607479095 CEST4974414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:52.609875917 CEST4974414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:52.610995054 CEST4974514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:52.614927053 CEST140264974452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:52.616411924 CEST140264974552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:52.616507053 CEST4974514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:52.651051998 CEST4974514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:52.655916929 CEST140264974552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:52.656002998 CEST4974514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:52.661020994 CEST140264974552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:53.192085981 CEST4974514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:53.197567940 CEST140264974552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:53.647603989 CEST140264974552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:53.647773981 CEST4974514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:55.656613111 CEST4974514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:55.657812119 CEST4974614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:55.661758900 CEST140264974552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:55.662898064 CEST140264974652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:55.662987947 CEST4974614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:55.701024055 CEST4974614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:55.705881119 CEST140264974652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:55.705935001 CEST4974614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:55.711092949 CEST140264974652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:56.687979937 CEST140264974652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:56.688138962 CEST4974614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:58.703466892 CEST4974614026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:58.705270052 CEST4974814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:58.708389044 CEST140264974652.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:58.710282087 CEST140264974852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:58.710376024 CEST4974814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:58.770134926 CEST4974814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:58.775017023 CEST140264974852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:58.775105000 CEST4974814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:07:58.779936075 CEST140264974852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:59.739116907 CEST140264974852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:07:59.741414070 CEST4974814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:01.750610113 CEST4974814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:01.752302885 CEST4976414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:01.755702972 CEST140264974852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:01.757158041 CEST140264976452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:01.757222891 CEST4976414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:01.814114094 CEST4976414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:01.818948984 CEST140264976452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:01.819025040 CEST4976414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:01.823802948 CEST140264976452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:02.830606937 CEST140264976452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:02.830725908 CEST4976414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:04.853099108 CEST4976414026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:04.858073950 CEST140264976452.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:04.865379095 CEST4978214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:04.870220900 CEST140264978252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:04.870304108 CEST4978214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:05.186837912 CEST4978214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:05.191585064 CEST140264978252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:05.191627979 CEST4978214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:05.196465969 CEST140264978252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:05.915913105 CEST140264978252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:05.915975094 CEST4978214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:07.798516035 CEST4978214026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:07.799904108 CEST4979814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:07.803565025 CEST140264978252.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:07.804775000 CEST140264979852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:07.804855108 CEST4979814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:07.837872982 CEST4979814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:07.843178988 CEST140264979852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:07.843287945 CEST4979814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:07.848124027 CEST140264979852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:08.439469099 CEST4979814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:08.444323063 CEST140264979852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:08.899010897 CEST140264979852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:08.899264097 CEST4979814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:10.656578064 CEST4979814026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:10.657661915 CEST4981514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:10.661609888 CEST140264979852.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:10.662652016 CEST140264981552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:10.662770033 CEST4981514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:10.701150894 CEST4981514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:10.706235886 CEST140264981552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:10.706356049 CEST4981514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:10.711390018 CEST140264981552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:11.705440044 CEST140264981552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:11.707568884 CEST4981514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:13.355679035 CEST4981514026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:13.356735945 CEST4983114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:13.360652924 CEST140264981552.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:13.361702919 CEST140264983152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:13.361772060 CEST4983114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:13.398899078 CEST4983114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:13.403795004 CEST140264983152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:13.403861046 CEST4983114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:13.408690929 CEST140264983152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:14.088435888 CEST4983114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:14.093333006 CEST140264983152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:14.390849113 CEST140264983152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:14.390909910 CEST4983114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:15.922261953 CEST4983114026192.168.2.452.57.120.10
                                    Oct 18, 2024 19:08:15.927329063 CEST140264983152.57.120.10192.168.2.4
                                    Oct 18, 2024 19:08:15.936317921 CEST4984614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:15.941520929 CEST14026498463.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:15.941596985 CEST4984614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:15.968821049 CEST4984614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:15.973910093 CEST14026498463.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:15.973982096 CEST4984614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:15.978919983 CEST14026498463.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:16.989491940 CEST14026498463.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:16.991554976 CEST4984614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.422359943 CEST4984614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.423224926 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.427238941 CEST14026498463.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:18.428194046 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:18.428272009 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.495939970 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.501069069 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:18.501163006 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.506063938 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:18.633871078 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.639480114 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:18.750385046 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:18.755603075 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.159260988 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.164565086 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.164622068 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.169528961 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.301702023 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.306907892 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.306974888 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.312735081 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.352447987 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.357306957 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.357361078 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.362345934 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.398499966 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.404453993 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.404545069 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.409908056 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.440363884 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.445199013 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.445259094 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:19.450176001 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.478544950 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:19.478595018 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:20.813507080 CEST4986014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:20.815366983 CEST4987214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:20.818479061 CEST14026498603.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:20.820360899 CEST14026498723.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:20.820548058 CEST4987214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:20.935952902 CEST4987214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:20.941066980 CEST14026498723.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:20.941124916 CEST4987214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:20.945911884 CEST14026498723.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:21.060831070 CEST4987214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:21.065819979 CEST14026498723.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:21.877163887 CEST14026498723.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:21.877228975 CEST4987214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.170260906 CEST4987214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.171700001 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.175462008 CEST14026498723.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:23.176899910 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:23.176990032 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.449523926 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.454504013 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:23.455455065 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.460285902 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:23.607646942 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.612510920 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:23.617149115 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:23.621968985 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:24.199165106 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:24.200098038 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:25.400696993 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:25.407042980 CEST4989014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:25.765785933 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:26.089914083 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:26.089939117 CEST14026498903.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:26.089962006 CEST14026498843.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:26.090034962 CEST4989014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:26.090064049 CEST4988414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:26.936141014 CEST4989014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:26.941320896 CEST14026498903.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:26.941414118 CEST4989014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:26.946902990 CEST14026498903.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:27.393974066 CEST14026498903.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:27.394042015 CEST4989014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:28.512926102 CEST4989014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:28.513803959 CEST4990314026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:28.517824888 CEST14026498903.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:28.518681049 CEST14026499033.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:28.518759966 CEST4990314026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:30.129956961 CEST4990314026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:30.135468006 CEST14026499033.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:30.135524988 CEST4990314026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:30.141051054 CEST14026499033.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:30.569190979 CEST14026499033.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:30.569292068 CEST4990314026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:32.578499079 CEST4990314026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:32.579485893 CEST4992014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:32.583507061 CEST14026499033.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:32.584428072 CEST14026499203.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:32.584531069 CEST4992014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:37.277396917 CEST4992014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:37.282501936 CEST14026499203.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:37.282562971 CEST4992014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:37.287422895 CEST14026499203.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:37.715010881 CEST14026499203.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:37.715085030 CEST4992014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:39.719178915 CEST4992014026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:39.724188089 CEST14026499203.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:39.728373051 CEST4994414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:39.733659983 CEST14026499443.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:39.733747959 CEST4994414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:42.628762007 CEST4994414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:42.633853912 CEST14026499443.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:42.633922100 CEST4994414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:42.638788939 CEST14026499443.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:43.093528986 CEST14026499443.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:43.093585968 CEST4994414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:45.288119078 CEST4994414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:45.288779974 CEST4997414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:45.293081999 CEST14026499443.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:45.293726921 CEST14026499743.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:45.293817043 CEST4997414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:49.256578922 CEST4997414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:49.261568069 CEST14026499743.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:49.261641979 CEST4997414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:49.266546965 CEST14026499743.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:49.725610018 CEST14026499743.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:49.725882053 CEST4997414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:51.961035013 CEST4997414026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:51.966134071 CEST14026499743.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:51.991168976 CEST5000614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:51.996395111 CEST14026500063.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:51.996510029 CEST5000614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:55.922847986 CEST5000614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:55.927817106 CEST14026500063.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:55.927891970 CEST5000614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:55.932796001 CEST14026500063.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:56.357131004 CEST14026500063.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:56.357333899 CEST5000614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:58.364798069 CEST5000614026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:58.370022058 CEST14026500063.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:59.797281027 CEST5003114026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:08:59.802531004 CEST14026500313.74.27.83192.168.2.4
                                    Oct 18, 2024 19:08:59.802639961 CEST5003114026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:08.267829895 CEST5003114026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:08.272897959 CEST14026500313.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:08.273001909 CEST5003114026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:08.277817965 CEST14026500313.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:08.739123106 CEST14026500313.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:08.739200115 CEST5003114026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:11.234735966 CEST5003114026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:11.239820004 CEST14026500313.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:11.432837009 CEST5003214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:11.437908888 CEST14026500323.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:11.437998056 CEST5003214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:15.429435015 CEST5003214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:15.434500933 CEST14026500323.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:15.434593916 CEST5003214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:15.439493895 CEST14026500323.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:15.894285917 CEST14026500323.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:15.897253990 CEST5003214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:17.937875986 CEST5003214026192.168.2.43.74.27.83
                                    Oct 18, 2024 19:09:17.942959070 CEST14026500323.74.27.83192.168.2.4
                                    Oct 18, 2024 19:09:17.967665911 CEST5003314026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:17.972775936 CEST140265003318.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:17.972872019 CEST5003314026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:21.357326031 CEST5003314026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:21.362679958 CEST140265003318.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:21.362845898 CEST5003314026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:21.367691994 CEST140265003318.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:21.796854973 CEST140265003318.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:21.796931982 CEST5003314026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:23.870142937 CEST5003314026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:23.875178099 CEST140265003318.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:23.881675005 CEST5003414026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:23.887839079 CEST140265003418.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:23.887983084 CEST5003414026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:27.367667913 CEST5003414026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:27.372844934 CEST140265003418.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:27.375605106 CEST5003414026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:27.380599022 CEST140265003418.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:27.805718899 CEST140265003418.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:27.808264017 CEST5003414026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:29.819554090 CEST5003414026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:29.824758053 CEST140265003418.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:29.842776060 CEST5003514026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:29.848117113 CEST140265003518.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:29.848232985 CEST5003514026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:32.994369030 CEST5003514026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:32.999499083 CEST140265003518.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:32.999573946 CEST5003514026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:33.004525900 CEST140265003518.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:33.437756062 CEST140265003518.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:33.437824965 CEST5003514026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:35.796904087 CEST5003514026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:35.801858902 CEST140265003518.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:35.804539919 CEST5003614026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:35.809509993 CEST140265003618.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:35.809632063 CEST5003614026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:41.702877045 CEST5003614026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:41.707928896 CEST140265003618.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:41.708018064 CEST5003614026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:41.712862968 CEST140265003618.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:42.143074036 CEST140265003618.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:42.143147945 CEST5003614026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:44.256753922 CEST5003614026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:44.265522003 CEST140265003618.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:44.268138885 CEST5003714026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:44.273401976 CEST140265003718.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:44.273549080 CEST5003714026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:47.329293013 CEST5003714026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:47.334382057 CEST140265003718.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:47.334486961 CEST5003714026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:47.339624882 CEST140265003718.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:47.766386032 CEST140265003718.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:47.766499043 CEST5003714026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:49.966965914 CEST5003714026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:49.972362041 CEST140265003718.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:50.120429039 CEST5003814026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:09:50.125468016 CEST140265003818.153.198.123192.168.2.4
                                    Oct 18, 2024 19:09:50.125555992 CEST5003814026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:09.807940006 CEST5003814026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:09.812838078 CEST140265003818.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:09.812930107 CEST5003814026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:09.817779064 CEST140265003818.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:09.817842960 CEST5003814026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:09.822685957 CEST140265003818.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:10.242516041 CEST140265003818.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:10.242594004 CEST5003814026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:12.297100067 CEST5003814026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:12.312154055 CEST140265003818.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:12.315434933 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:12.320439100 CEST140265003918.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:12.320534945 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:17.733036995 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:17.740010977 CEST140265003918.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:17.740088940 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:17.744976997 CEST140265003918.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:18.204699993 CEST140265003918.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:18.204955101 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:20.578859091 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:20.984829903 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:21.162946939 CEST140265003918.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:21.162964106 CEST140265003918.153.198.123192.168.2.4
                                    Oct 18, 2024 19:10:21.163034916 CEST5003914026192.168.2.418.153.198.123
                                    Oct 18, 2024 19:10:21.258199930 CEST5004014026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:21.263354063 CEST14026500403.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:21.263485909 CEST5004014026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:25.842886925 CEST5004014026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:25.847843885 CEST14026500403.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:25.847912073 CEST5004014026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:25.852787971 CEST14026500403.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:26.304572105 CEST14026500403.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:26.304855108 CEST5004014026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:28.316533089 CEST5004014026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:28.321393013 CEST14026500403.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:28.345798016 CEST5004114026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:28.350662947 CEST14026500413.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:28.350754023 CEST5004114026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:32.950414896 CEST5004114026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:32.955260038 CEST14026500413.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:32.955336094 CEST5004114026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:32.960248947 CEST14026500413.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:33.409006119 CEST14026500413.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:33.409070969 CEST5004114026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:35.425784111 CEST5004114026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:35.431271076 CEST14026500413.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:35.444148064 CEST5004214026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:35.449220896 CEST14026500423.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:35.449295998 CEST5004214026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:41.284056902 CEST5004214026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:41.288969994 CEST14026500423.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:41.289042950 CEST5004214026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:41.294074059 CEST14026500423.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:41.727189064 CEST14026500423.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:41.727361917 CEST5004214026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:43.794467926 CEST5004214026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:43.799650908 CEST14026500423.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:43.829348087 CEST5004314026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:44.089603901 CEST14026500433.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:44.089689970 CEST5004314026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:57.043735027 CEST5004314026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:57.048713923 CEST14026500433.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:57.048777103 CEST5004314026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:57.053632021 CEST14026500433.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:57.878757954 CEST14026500433.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:57.878861904 CEST5004314026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:59.892391920 CEST5004314026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:59.898041010 CEST14026500433.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:59.901253939 CEST5004414026192.168.2.43.78.28.71
                                    Oct 18, 2024 19:10:59.906415939 CEST14026500443.78.28.71192.168.2.4
                                    Oct 18, 2024 19:10:59.906497955 CEST5004414026192.168.2.43.78.28.71

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 18, 2024 19:07:15.511804104 CEST5742353192.168.2.41.1.1.1
                                    Oct 18, 2024 19:07:15.521809101 CEST53574231.1.1.1192.168.2.4
                                    Oct 18, 2024 19:08:15.923083067 CEST6176153192.168.2.41.1.1.1
                                    Oct 18, 2024 19:08:15.932390928 CEST53617611.1.1.1192.168.2.4
                                    Oct 18, 2024 19:09:17.938806057 CEST5497353192.168.2.41.1.1.1
                                    Oct 18, 2024 19:09:17.956926107 CEST53549731.1.1.1192.168.2.4
                                    Oct 18, 2024 19:10:20.579768896 CEST6165153192.168.2.41.1.1.1
                                    Oct 18, 2024 19:10:21.167474031 CEST53616511.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 18, 2024 19:07:15.511804104 CEST192.168.2.41.1.1.10x156fStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                    Oct 18, 2024 19:08:15.923083067 CEST192.168.2.41.1.1.10x1128Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                    Oct 18, 2024 19:09:17.938806057 CEST192.168.2.41.1.1.10xc92aStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                    Oct 18, 2024 19:10:20.579768896 CEST192.168.2.41.1.1.10x822bStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 18, 2024 19:07:15.521809101 CEST1.1.1.1192.168.2.40x156fNo error (0)0.tcp.eu.ngrok.io52.57.120.10A (IP address)IN (0x0001)false
                                    Oct 18, 2024 19:08:15.932390928 CEST1.1.1.1192.168.2.40x1128No error (0)0.tcp.eu.ngrok.io3.74.27.83A (IP address)IN (0x0001)false
                                    Oct 18, 2024 19:09:17.956926107 CEST1.1.1.1192.168.2.40xc92aNo error (0)0.tcp.eu.ngrok.io18.153.198.123A (IP address)IN (0x0001)false
                                    Oct 18, 2024 19:10:21.167474031 CEST1.1.1.1192.168.2.40x822bNo error (0)0.tcp.eu.ngrok.io3.78.28.71A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:13:06:58
                                    Start date:18/10/2024
                                    Path:C:\Users\user\Desktop\TLH3anP3lh.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\TLH3anP3lh.exe"
                                    Imagebase:0x420000
                                    File size:40'916 bytes
                                    MD5 hash:5A6E0971A54847D4CECC16BF7FA44BCA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                    • Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                    • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                    • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000000.00000002.1739788707.0000000000B90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                    • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1740537753.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:13:07:05
                                    Start date:18/10/2024
                                    Path:C:\Users\user\AppData\Roaming\yzbekt.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\yzbekt.exe"
                                    Imagebase:0xdd0000
                                    File size:40'916 bytes
                                    MD5 hash:5A6E0971A54847D4CECC16BF7FA44BCA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: njrat1, Description: Identify njRat, Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                    • Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.4129498882.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 76%, ReversingLabs
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:2
                                    Start time:13:07:05
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\user\Desktop\TLH3anP3lh.exe"
                                    Imagebase:0x7ff7d97a0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:13:07:05
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:13:07:05
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\choice.exe
                                    Wow64 process (32bit):false
                                    Commandline:choice /C Y /N /D Y /T 5
                                    Imagebase:0x7ff678a60000
                                    File size:35'840 bytes
                                    MD5 hash:1A9804F0C374283B094E9E55DC5EE128
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:13:07:22
                                    Start date:18/10/2024
                                    Path:C:\Users\user\AppData\Roaming\yzbekt.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\yzbekt.exe" ..
                                    Imagebase:0x840000
                                    File size:40'916 bytes
                                    MD5 hash:5A6E0971A54847D4CECC16BF7FA44BCA
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                    • Rule: Njrat, Description: detect njRAT in memory, Source: 00000008.00000002.1954529546.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:13:07:30
                                    Start date:18/10/2024
                                    Path:C:\Users\user\AppData\Roaming\yzbekt.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\yzbekt.exe" ..
                                    Imagebase:0x7ff70f330000
                                    File size:40'916 bytes
                                    MD5 hash:5A6E0971A54847D4CECC16BF7FA44BCA
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:13:07:38
                                    Start date:18/10/2024
                                    Path:C:\Users\user\AppData\Roaming\yzbekt.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\yzbekt.exe" ..
                                    Imagebase:0x1f0000
                                    File size:40'916 bytes
                                    MD5 hash:5A6E0971A54847D4CECC16BF7FA44BCA
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FFD9B8D0501 Relevance: .7, Instructions: 657COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7111798a633b3ad88e83c0f2106123899e68fde2d5e05036d53de795966efa06
                                      • Instruction ID: 4055d0e1554890767f5a471023116b08ea21f9a00d20c54ffb41861a677716c2
                                      • Opcode Fuzzy Hash: 7111798a633b3ad88e83c0f2106123899e68fde2d5e05036d53de795966efa06
                                      • Instruction Fuzzy Hash: 4D02152072D64A4FF7299B2898716B537D0EF89319F1906BEE4CAC71E3E91CE5068711
                                      Function 00007FFD9B8D000A Relevance: .5, Instructions: 526COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e7a04d08ec1b166e52a38f482a05cd7142894846ad9f02b4a175dec9a1c8f3a
                                      • Instruction ID: 0835e31a06516d4f01c82a722e17b85ec314ee80f771ad417f87acecd20c68ba
                                      • Opcode Fuzzy Hash: 4e7a04d08ec1b166e52a38f482a05cd7142894846ad9f02b4a175dec9a1c8f3a
                                      • Instruction Fuzzy Hash: 63E1C32171E7894FDB569B7888756B83BE1EF4A200F0A02FBD489CB1E3DE189905C351
                                      Function 00007FFD9B8D0B61 Relevance: .5, Instructions: 456COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f63922badc160300d6b282b20b4905fcccd6be12352b46324814df961eafd6c
                                      • Instruction ID: c2ebe3c64db500639e2d5fedcdeac32606e59d059bc01d2e9276b859a0048ae6
                                      • Opcode Fuzzy Hash: 0f63922badc160300d6b282b20b4905fcccd6be12352b46324814df961eafd6c
                                      • Instruction Fuzzy Hash: 0EF18052E1FBC91FE753A73848315686FA29F97650B4A02EBE098CB1F7E8185D09C352
                                      Function 00007FFD9B8D2106 Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e647a50ba44a82eca300a2f66ec561e24c7efc37a51c801298d70859b469f8fe
                                      • Instruction ID: 5d03f257c8ea3807260d9dd2f4d3b18f471b59acf7508e5c4ab665f127a8ce10
                                      • Opcode Fuzzy Hash: e647a50ba44a82eca300a2f66ec561e24c7efc37a51c801298d70859b469f8fe
                                      • Instruction Fuzzy Hash: 62F1F67160DACC8FEBA5EF28C854BD83BE1EF5A340F454196D84DCB2A2DE349A84C751
                                      Function 00007FFD9B8D0FEE Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c089d44c216d1ea62d90ccfba353fec0caab97896d2e1b2e9e41bddad22c12e3
                                      • Instruction ID: 70b565bffe3dbd0b1eaa3cc593ea5bced5e1838270b93be8eda65eb787d61280
                                      • Opcode Fuzzy Hash: c089d44c216d1ea62d90ccfba353fec0caab97896d2e1b2e9e41bddad22c12e3
                                      • Instruction Fuzzy Hash: 3AC19661A09ACD8FEBA5EF68C8617D83BA1FF5A340F5502A6E44CCB1A2DF385944C711
                                      Function 00007FFD9B8D028D Relevance: .3, Instructions: 267COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1f1d8c809fa0cb6102a231c48e115a933160e5b065e766bb6fcb98f7ec633b27
                                      • Instruction ID: a7b4bce08173faad173223ed649ed38e8915f818e1898e88886fb8c00200afe9
                                      • Opcode Fuzzy Hash: 1f1d8c809fa0cb6102a231c48e115a933160e5b065e766bb6fcb98f7ec633b27
                                      • Instruction Fuzzy Hash: E1712C307195094FEBA9AB3C84A9BB837D1EF8C310F0A02BAD04EC71E2DE18EC059341
                                      Function 00007FFD9B8D23D5 Relevance: .3, Instructions: 251COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f908db2f82a1d39026f3fff8bf3d99170f8ac6fa1d852a87467ba1b0ad473a1
                                      • Instruction ID: 18a4114b6ff34c3c418d17288c1473acf658c3797bf43751d3d5941ac54b4953
                                      • Opcode Fuzzy Hash: 5f908db2f82a1d39026f3fff8bf3d99170f8ac6fa1d852a87467ba1b0ad473a1
                                      • Instruction Fuzzy Hash: 17A1DF70619ACC8FEBA6EF18CC54BD83BE1EF5A340F5501A6D84CCB2A6DB349A44C711
                                      Function 00007FFD9B8D1FAB Relevance: .2, Instructions: 239COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e0618ccd49d27b0d8c0a45e32257dbdaefa5548effa834e68c63dd48f601a60f
                                      • Instruction ID: df7e2e4717c4fca71182c44cee5d0e3e54e515ebd131c80bf87d50376892ca70
                                      • Opcode Fuzzy Hash: e0618ccd49d27b0d8c0a45e32257dbdaefa5548effa834e68c63dd48f601a60f
                                      • Instruction Fuzzy Hash: 1481FC71619A888FEB96DF28C854BD87FE0EF1A340F550196E84CCB2A2DB789984C751
                                      Function 00007FFD9B8D1F05 Relevance: .2, Instructions: 230COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1741902208.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8d0000_TLH3anP3lh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e707f96b746dd459116b3362eb092863a61740161ccba8eaf8a0ac99c4031a4
                                      • Instruction ID: 4117cca9173c93baf9a82a051033bbb292ae6e27d59a7f0036a648b91d9c2c65
                                      • Opcode Fuzzy Hash: 4e707f96b746dd459116b3362eb092863a61740161ccba8eaf8a0ac99c4031a4
                                      • Instruction Fuzzy Hash: DD71B0B25086889FE752CF54DC15BD63FB4EF09360F5A4196F80CCB5A2CA2C9986C7A1

                                      Executed Functions

                                      Function 00007FFD9B8E0501 Relevance: .7, Instructions: 658COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1955732674.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b8e0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b5c7a166f981ae0e19f81d6c5f63a322418dad5ce90c3c956fb97fe286f2e81
                                      • Instruction ID: f591db0401b08abb59375636205b6f54b2b67e0b6fb983235920ac7fb8846429
                                      • Opcode Fuzzy Hash: 4b5c7a166f981ae0e19f81d6c5f63a322418dad5ce90c3c956fb97fe286f2e81
                                      • Instruction Fuzzy Hash: 0102182172D64B4FF72DAB6888A26B537D0EF49319F1908BDE4CAC71E3E91CE5068711
                                      Function 00007FFD9B8E000A Relevance: .5, Instructions: 524COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1955732674.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b8e0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a053cbce3b10fd691ed3569fc16849304ff9a669aa59d48fb7b022bc1e1dee2c
                                      • Instruction ID: 117666125f8f73ff5eb7c44bcbfb514fb46f0f0fe44b6209d7b90fffedaf7dbc
                                      • Opcode Fuzzy Hash: a053cbce3b10fd691ed3569fc16849304ff9a669aa59d48fb7b022bc1e1dee2c
                                      • Instruction Fuzzy Hash: 61E1F62171E78A4FD75A9B7888656B53BE1EF4A300F0A05FBE48ECB1E3DE189D058351
                                      Function 00007FFD9B8E0BFF Relevance: .4, Instructions: 448COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1955732674.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b8e0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f444ba828377107ac4746606f93fea5579e5ef65772e42a6b5d10814c5037c9a
                                      • Instruction ID: 32bea87c3b39ea4e7939862afe9fad221eab1af878b0b23bd45b1e8e648828ad
                                      • Opcode Fuzzy Hash: f444ba828377107ac4746606f93fea5579e5ef65772e42a6b5d10814c5037c9a
                                      • Instruction Fuzzy Hash: C4F1A152E1FBCA1FE787A73808715642FB29F5B25074A45EBD098CF1F7E8296D098312
                                      Function 00007FFD9B8E0FEE Relevance: .3, Instructions: 319COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1955732674.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b8e0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b298a29f4589b8d27766c7614de5950185f56945bb4c9f87112e81dfc5bea477
                                      • Instruction ID: a2438961d128774733a5ff7b13443f10d3b242143c705cc0a4c5d7896710777b
                                      • Opcode Fuzzy Hash: b298a29f4589b8d27766c7614de5950185f56945bb4c9f87112e81dfc5bea477
                                      • Instruction Fuzzy Hash: 74C18761A09ACD4FEBA5EF68C8657D43BE1FF1A340F5501A6E84CCB1A3DB345944C711
                                      Function 00007FFD9B8E028D Relevance: .3, Instructions: 267COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1955732674.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b8e0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3f5e9fc47eb89c6bc38452760e9982a960b3935786a16b03f11fca803764912
                                      • Instruction ID: 6ed50e85a5aa86e9694e55967cdfc52ed06ce2b0fc22297af50f62c2d2c0eacf
                                      • Opcode Fuzzy Hash: b3f5e9fc47eb89c6bc38452760e9982a960b3935786a16b03f11fca803764912
                                      • Instruction Fuzzy Hash: 3871073071C50A4FEBA9AB6C849AAB833D1EF5C311F0A05B9D44EC71A2DE18EC069351
                                      Function 00007FFD9B8E0BCE Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1955732674.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b8e0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc4ac72aff5924e5fc3f9855c84ec86caa1d0a260d5d187a038a17e4084a3576
                                      • Instruction ID: 441b4a590c9b7d9ed562fe6055e2dc3acb1973256413945555cdcfa0c3ec659e
                                      • Opcode Fuzzy Hash: fc4ac72aff5924e5fc3f9855c84ec86caa1d0a260d5d187a038a17e4084a3576
                                      • Instruction Fuzzy Hash: D1116152A2F7C92FE756A77848765A52FB1AF9B260B0D09EAD4C8CB0F3D8195804C351
                                      Function 00007FFD9B8E0B61 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1955732674.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b8e0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2578937f4a26e7b5a9c06b1f5dd58484d993cabd83771502920b810380ae6fb1
                                      • Instruction ID: a356b4446a5c69216f520955d31ef313e161e56a6822c5e955fe4c3104a9b88f
                                      • Opcode Fuzzy Hash: 2578937f4a26e7b5a9c06b1f5dd58484d993cabd83771502920b810380ae6fb1
                                      • Instruction Fuzzy Hash: 82018192A1FBC82FE303A3384C75AA53F71AF97254B4E05DBD484CB0E3E4051818C361

                                      Executed Functions

                                      Function 00007FFD9B8F0501 Relevance: .7, Instructions: 658COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2038264837.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b8f0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26f0c6ef81a35c671cfc0dd5f8460694e4e1bc4e8e22a1945c6db202cce9f681
                                      • Instruction ID: b6a3702e7e034dc158c46ff002fec22948b195b526af10c08fa45266984d3041
                                      • Opcode Fuzzy Hash: 26f0c6ef81a35c671cfc0dd5f8460694e4e1bc4e8e22a1945c6db202cce9f681
                                      • Instruction Fuzzy Hash: 5C02362072E64B4FF7299F6888616B53BD0EF49319F1904BDE4CAC71E3E91CEA068751
                                      Function 00007FFD9B8F003C Relevance: .5, Instructions: 507COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2038264837.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b8f0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 11d79e3b3ae7328cf9092670aa0703e5fdc2b20e0d4040e5023fe02e6ff1be48
                                      • Instruction ID: 587841414656932c11acfb034f00f558d7903c0b41229667dc4e132cb1a1e1a8
                                      • Opcode Fuzzy Hash: 11d79e3b3ae7328cf9092670aa0703e5fdc2b20e0d4040e5023fe02e6ff1be48
                                      • Instruction Fuzzy Hash: 81E1C52171E68A4FD7569B7888696B47FE1EF5A300F0A01FBD08ECB1E3DE289D058751
                                      Function 00007FFD9B8F0B61 Relevance: .4, Instructions: 449COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2038264837.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b8f0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb08616358d9147f1a5184996467d148e700862d0c3ad5a33420ff0712f221a2
                                      • Instruction ID: 060b6f8fff17db99063569c1438360759a36aba6e65e5a2c43cc665ad4bcf002
                                      • Opcode Fuzzy Hash: eb08616358d9147f1a5184996467d148e700862d0c3ad5a33420ff0712f221a2
                                      • Instruction Fuzzy Hash: A8F19052F1F7CA1FE797AB2808316656FB29F5B24074A01EBD098CF1F7E8186D098352
                                      Function 00007FFD9B8F0FEE Relevance: .3, Instructions: 320COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2038264837.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b8f0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 430ff734952626b7b52a960f704970530767ef7eb50c28c44ae1a691bf2eed23
                                      • Instruction ID: 355aaddd4fd9b6b601d062a6520136545dc59eac3fc4883e2c31b12a82f2ee83
                                      • Opcode Fuzzy Hash: 430ff734952626b7b52a960f704970530767ef7eb50c28c44ae1a691bf2eed23
                                      • Instruction Fuzzy Hash: ECC1A661A09ACD4FEBA1EF68C8607D47FE1FF1A340F4541A6E84CCB1A2DB34AA44C751
                                      Function 00007FFD9B8F028D Relevance: .3, Instructions: 267COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2038264837.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd9b8f0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f01e8294b1e5f4ce3deb494643bf0c36a6f98f8d20a8ded1edc6113d59842792
                                      • Instruction ID: bd29409335056dea34d80a6db9064602acdf82f24b9e29baf1a4158e8024ba66
                                      • Opcode Fuzzy Hash: f01e8294b1e5f4ce3deb494643bf0c36a6f98f8d20a8ded1edc6113d59842792
                                      • Instruction Fuzzy Hash: 927128307195194FEBA9AB7C8899BB837D1EF5C711F0A01B9D08EC71A2DE18EC065781

                                      Executed Functions

                                      Function 00007FFD9B8D0501 Relevance: .7, Instructions: 657COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2118444704.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7ffd9b8d0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7111798a633b3ad88e83c0f2106123899e68fde2d5e05036d53de795966efa06
                                      • Instruction ID: 4055d0e1554890767f5a471023116b08ea21f9a00d20c54ffb41861a677716c2
                                      • Opcode Fuzzy Hash: 7111798a633b3ad88e83c0f2106123899e68fde2d5e05036d53de795966efa06
                                      • Instruction Fuzzy Hash: 4D02152072D64A4FF7299B2898716B537D0EF89319F1906BEE4CAC71E3E91CE5068711
                                      Function 00007FFD9B8D000A Relevance: .5, Instructions: 524COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2118444704.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7ffd9b8d0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0bf9cbf07d4e67017b4175e4f3118fa2b1b5f237a0697ea11519581ae8548347
                                      • Instruction ID: 18682c414cd6e8796ab5704dc4847897e2b53eca1a103e91ac36ef4c46e949f0
                                      • Opcode Fuzzy Hash: 0bf9cbf07d4e67017b4175e4f3118fa2b1b5f237a0697ea11519581ae8548347
                                      • Instruction Fuzzy Hash: 7EE1B42171E7894FDB569B7888756B93BE1EF5A300F0A02FBD489CB1E3DE289D058351
                                      Function 00007FFD9B8D0B61 Relevance: .5, Instructions: 456COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2118444704.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7ffd9b8d0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9b3db002b1bb738403f9b80a0371e1f9654a7cd5567121eaebb6bf78f7c89f6
                                      • Instruction ID: 14a9680c629a537b662d21bed18fc399a706fecee9f6d06e52eba8ae44ae9191
                                      • Opcode Fuzzy Hash: c9b3db002b1bb738403f9b80a0371e1f9654a7cd5567121eaebb6bf78f7c89f6
                                      • Instruction Fuzzy Hash: 44F17052E1F7C91FE797A73848315646FB29F9B65074A02EBD098CF1F7E8185909C312
                                      Function 00007FFD9B8D0FEE Relevance: .3, Instructions: 324COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2118444704.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7ffd9b8d0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7db1cec72792ab9af58919f1760b5cafd65ce8c51c56a2bef48702a0ede9d7ac
                                      • Instruction ID: 4945faa13f3b0b05c94f230aa2556b17913cb4f2ba675efba501778a2e2f9829
                                      • Opcode Fuzzy Hash: 7db1cec72792ab9af58919f1760b5cafd65ce8c51c56a2bef48702a0ede9d7ac
                                      • Instruction Fuzzy Hash: 7BC1A561A09BCD8FEBA1EF28C8617D43BA1FF5A340F4502A6E44CCB1A2DB349944C711
                                      Function 00007FFD9B8D028D Relevance: .3, Instructions: 267COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.2118444704.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7ffd9b8d0000_yzbekt.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1f1d8c809fa0cb6102a231c48e115a933160e5b065e766bb6fcb98f7ec633b27
                                      • Instruction ID: a7b4bce08173faad173223ed649ed38e8915f818e1898e88886fb8c00200afe9
                                      • Opcode Fuzzy Hash: 1f1d8c809fa0cb6102a231c48e115a933160e5b065e766bb6fcb98f7ec633b27
                                      • Instruction Fuzzy Hash: E1712C307195094FEBA9AB3C84A9BB837D1EF8C310F0A02BAD04EC71E2DE18EC059341