Edit tour

Windows Analysis Report
QUuUm3J8x3.exe

Overview

General Information

Sample name:	QUuUm3J8x3.exe renamed because original name is a hash value
Original sample name:	b9f6511e03f2f4fa61d4fdb1964cae4f.exe
Analysis ID:	1365445
MD5:	b9f6511e03f2f4fa61d4fdb1964cae4f
SHA1:	ba42aa852a48f5449abd9c66f8a1d909a5c01618
SHA256:	c93ab6bb562f09706d141a4804e655fe92612a07bc3ab92bf1f6f7a7a9ef9dcc
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

Connects to many ports of the same IP (likely port scanning)

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Disables zone checking for all users

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

QUuUm3J8x3.exe (PID: 6412 cmdline: C:\Users\user\Desktop\QUuUm3J8x3.exe MD5: B9F6511E03F2F4FA61D4FDB1964CAE4F)

server.exe (PID: 2452 cmdline: "C:\Users\user\AppData\Local\Temp\server.exe" MD5: B9F6511E03F2F4FA61D4FDB1964CAE4F)

netsh.exe (PID: 380 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "444e796bc07d74246f430e63450f384a", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
QUuUm3J8x3.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
QUuUm3J8x3.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159fd:$a2: SEE_MASK_NOZONECHECKS 0x1569f:$a3: Download ERROR 0x15c4f:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bdc:$a5: netsh firewall delete allowedprogram "
QUuUm3J8x3.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c4f:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13768:$s1: winmgmts:\\.\root\SecurityCenter2 0x156bd:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1569f:$s6: Download ERROR 0x1372a:$s8: Select * From AntiVirusProduct
QUuUm3J8x3.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159fd:$reg: SEE_MASK_NOZONECHECKS 0x15683:$msg: Execute ERROR 0x156d7:$msg: Execute ERROR 0x15c4f:$ping: cmd.exe /c ping 0 -n 2 & del
QUuUm3J8x3.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bdc:$s1: netsh firewall delete allowedprogram 0x13c2e:$s2: netsh firewall add allowedprogram 0x15c4f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15683:$s4: Execute ERROR 0x156d7:$s4: Execute ERROR 0x1569f:$s5: Download ERROR

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159fd:$a2: SEE_MASK_NOZONECHECKS 0x1569f:$a3: Download ERROR 0x15c4f:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bdc:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c4f:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13768:$s1: winmgmts:\\.\root\SecurityCenter2 0x156bd:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1569f:$s6: Download ERROR 0x1372a:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159fd:$reg: SEE_MASK_NOZONECHECKS 0x15683:$msg: Execute ERROR 0x156d7:$msg: Execute ERROR 0x15c4f:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bdc:$s1: netsh firewall delete allowedprogram 0x13c2e:$s2: netsh firewall add allowedprogram 0x15c4f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15683:$s4: Execute ERROR 0x156d7:$s4: Execute ERROR 0x1569f:$s5: Download ERROR
C:\Users\user\AppData\Local\Temp\server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159fd:$a2: SEE_MASK_NOZONECHECKS 0x1569f:$a3: Download ERROR 0x15c4f:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bdc:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Local\Temp\server.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c4f:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13768:$s1: winmgmts:\\.\root\SecurityCenter2 0x156bd:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1569f:$s6: Download ERROR 0x1372a:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Local\Temp\server.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159fd:$reg: SEE_MASK_NOZONECHECKS 0x15683:$msg: Execute ERROR 0x156d7:$msg: Execute ERROR 0x15c4f:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bdc:$s1: netsh firewall delete allowedprogram 0x13c2e:$s2: netsh firewall add allowedprogram 0x15c4f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15683:$s4: Execute ERROR 0x156d7:$s4: Execute ERROR 0x1569f:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159fd:$a2: SEE_MASK_NOZONECHECKS 0x1569f:$a3: Download ERROR 0x15c4f:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bdc:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c4f:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13768:$s1: winmgmts:\\.\root\SecurityCenter2 0x156bd:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1569f:$s6: Download ERROR 0x1372a:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159fd:$reg: SEE_MASK_NOZONECHECKS 0x15683:$msg: Execute ERROR 0x156d7:$msg: Execute ERROR 0x15c4f:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bdc:$s1: netsh firewall delete allowedprogram 0x13c2e:$s2: netsh firewall add allowedprogram 0x15c4f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15683:$s4: Execute ERROR 0x156d7:$s4: Execute ERROR 0x1569f:$s5: Download ERROR
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x157fd:$a2: SEE_MASK_NOZONECHECKS 0x1549f:$a3: Download ERROR 0x15a4f:$a4: cmd.exe /c ping 0 -n 2 & del " 0x139dc:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x157fd:$reg: SEE_MASK_NOZONECHECKS 0x15483:$msg: Execute ERROR 0x154d7:$msg: Execute ERROR 0x15a4f:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115f2:$a1: get_Registry 0x15a1d:$a2: SEE_MASK_NOZONECHECKS 0x156bf:$a3: Download ERROR 0x15c6f:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bfc:$a5: netsh firewall delete allowedprogram "
00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a1d:$reg: SEE_MASK_NOZONECHECKS 0x156a3:$msg: Execute ERROR 0x156f7:$msg: Execute ERROR 0x15c6f:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000002.4425655282.0000000003551000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: QUuUm3J8x3.exe PID: 6412	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: server.exe PID: 2452	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.QUuUm3J8x3.exe.8c0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.QUuUm3J8x3.exe.8c0000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159fd:$a2: SEE_MASK_NOZONECHECKS 0x1569f:$a3: Download ERROR 0x15c4f:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bdc:$a5: netsh firewall delete allowedprogram "
0.0.QUuUm3J8x3.exe.8c0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c4f:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13768:$s1: winmgmts:\\.\root\SecurityCenter2 0x156bd:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1569f:$s6: Download ERROR 0x1372a:$s8: Select * From AntiVirusProduct
0.0.QUuUm3J8x3.exe.8c0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159fd:$reg: SEE_MASK_NOZONECHECKS 0x15683:$msg: Execute ERROR 0x156d7:$msg: Execute ERROR 0x15c4f:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.QUuUm3J8x3.exe.8c0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bdc:$s1: netsh firewall delete allowedprogram 0x13c2e:$s2: netsh firewall add allowedprogram 0x15c4f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15683:$s4: Execute ERROR 0x156d7:$s4: Execute ERROR 0x1569f:$s5: Download ERROR

Snort Signatures

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549722124602814860 12/21/23-08:23:50.144704
SID:	2814860
Source Port:	49722
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749723124602033132 12/21/23-08:24:22.443531
SID:	2033132
Source Port:	49723
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749724124602033132 12/21/23-08:24:28.186519
SID:	2033132
Source Port:	49724
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649727124602814856 12/21/23-08:25:32.396830
SID:	2814856
Source Port:	49727
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649728124602814856 12/21/23-08:25:42.081730
SID:	2814856
Source Port:	49728
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749725124602033132 12/21/23-08:24:57.473768
SID:	2033132
Source Port:	49725
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749705124602825564 12/21/23-08:22:14.988164
SID:	2825564
Source Port:	49705
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549722124602825564 12/21/23-08:23:50.144704
SID:	2825564
Source Port:	49722
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749725124602825564 12/21/23-08:25:04.347657
SID:	2825564
Source Port:	49725
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749726124602825564 12/21/23-08:25:12.545144
SID:	2825564
Source Port:	49726
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749714124602814856 12/21/23-08:22:35.251444
SID:	2814856
Source Port:	49714
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549720124602814856 12/21/23-08:23:26.504306
SID:	2814856
Source Port:	49720
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549721124602814856 12/21/23-08:23:38.022410
SID:	2814856
Source Port:	49721
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749723124602825564 12/21/23-08:24:25.802640
SID:	2825564
Source Port:	49723
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549722124602814856 12/21/23-08:23:47.925511
SID:	2814856
Source Port:	49722
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749715124602814856 12/21/23-08:22:42.115347
SID:	2814856
Source Port:	49715
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749724124602825564 12/21/23-08:24:29.378929
SID:	2825564
Source Port:	49724
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649728124602825564 12/21/23-08:25:44.765776
SID:	2825564
Source Port:	49728
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649727124602825564 12/21/23-08:25:35.257122
SID:	2825564
Source Port:	49727
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549719124602033132 12/21/23-08:23:16.402874
SID:	2033132
Source Port:	49719
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749723124602814856 12/21/23-08:24:22.684180
SID:	2814856
Source Port:	49723
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749714124602033132 12/21/23-08:22:35.011872
SID:	2033132
Source Port:	49714
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549717124602033132 12/21/23-08:23:09.738672
SID:	2033132
Source Port:	49717
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749715124602825564 12/21/23-08:22:45.323315
SID:	2825564
Source Port:	49715
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749724124602814856 12/21/23-08:24:28.428947
SID:	2814856
Source Port:	49724
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749704124602814856 12/21/23-08:22:00.806810
SID:	2814856
Source Port:	49704
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749725124602814856 12/21/23-08:24:57.714176
SID:	2814856
Source Port:	49725
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749714124602825564 12/21/23-08:22:39.068500
SID:	2825564
Source Port:	49714
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749705124602814856 12/21/23-08:22:07.582838
SID:	2814856
Source Port:	49705
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749726124602814856 12/21/23-08:25:07.565443
SID:	2814856
Source Port:	49726
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749725124602814860 12/21/23-08:25:04.347657
SID:	2814860
Source Port:	49725
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649727124602814860 12/21/23-08:25:35.257122
SID:	2814860
Source Port:	49727
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749705124602814860 12/21/23-08:22:14.988164
SID:	2814860
Source Port:	49705
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749714124602814860 12/21/23-08:22:39.068500
SID:	2814860
Source Port:	49714
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649728124602814860 12/21/23-08:25:44.765776
SID:	2814860
Source Port:	49728
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749726124602814860 12/21/23-08:25:12.545144
SID:	2814860
Source Port:	49726
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749715124602814860 12/21/23-08:22:45.323315
SID:	2814860
Source Port:	49715
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549717124602814856 12/21/23-08:23:09.978056
SID:	2814856
Source Port:	49717
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549721124602033132 12/21/23-08:23:37.781323
SID:	2033132
Source Port:	49721
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749723124602814860 12/21/23-08:24:25.802640
SID:	2814860
Source Port:	49723
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549720124602033132 12/21/23-08:23:26.263437
SID:	2033132
Source Port:	49720
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749724124602814860 12/21/23-08:24:29.378929
SID:	2814860
Source Port:	49724
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749704124602033132 12/21/23-08:22:00.564694
SID:	2033132
Source Port:	49704
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749715124602033132 12/21/23-08:22:41.875520
SID:	2033132
Source Port:	49715
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749726124602033132 12/21/23-08:25:07.325936
SID:	2033132
Source Port:	49726
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 3.127.138.57

Timestamp:	192.168.2.53.127.138.5749705124602033132 12/21/23-08:22:07.341922
SID:	2033132
Source Port:	49705
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549722124602033132 12/21/23-08:23:47.684823
SID:	2033132
Source Port:	49722
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649728124602033132 12/21/23-08:25:41.841463
SID:	2033132
Source Port:	49728
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.5 - Destination IP: 18.192.93.86

Timestamp:	192.168.2.518.192.93.8649727124602033132 12/21/23-08:25:32.154857
SID:	2033132
Source Port:	49727
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.5 - Destination IP: 18.197.239.5

Timestamp:	192.168.2.518.197.239.549719124602814856 12/21/23-08:23:16.645108
SID:	2814856
Source Port:	49719
Destination Port:	12460
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QUuUm3J8x3.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\server.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "444e796bc07d74246f430e63450f384a", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for domain / URL

Source: 2.tcp.eu.ngrok.io

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\server.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	Virustotal: Detection: 81%	Perma Link

Multi AV Scanner detection for submitted file

Source: QUuUm3J8x3.exe	ReversingLabs: Detection: 83%
Source: QUuUm3J8x3.exe	Virustotal: Detection: 75%			Perma Link

Yara detected Njrat

Source: Yara match	File source: QUuUm3J8x3.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4425655282.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUuUm3J8x3.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: QUuUm3J8x3.exe

Joe Sandbox ML: detected

Source: QUuUm3J8x3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: QUuUm3J8x3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: QUuUm3J8x3.exe, Usb1.cs	.Net Code: infect
Source: server.exe.0.dr, Usb1.cs	.Net Code: infect
Source: scvhost.exe.2.dr, Usb1.cs	.Net Code: infect
Source: 444e796bc07d74246f430e63450f384ascvhost.exe.2.dr, Usb1.cs	.Net Code: infect

Source: QUuUm3J8x3.exe, 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: QUuUm3J8x3.exe, 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: QUuUm3J8x3.exe, 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: QUuUm3J8x3.exe, 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: QUuUm3J8x3.exe, 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: QUuUm3J8x3.exe, 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: QUuUm3J8x3.exe	Binary or memory string: \autorun.inf
Source: QUuUm3J8x3.exe	Binary or memory string: [autorun]
Source: QUuUm3J8x3.exe	Binary or memory string: autorun.inf
Source: 444e796bc07d74246f430e63450f384ascvhost.exe.2.dr	Binary or memory string: \autorun.inf
Source: 444e796bc07d74246f430e63450f384ascvhost.exe.2.dr	Binary or memory string: [autorun]
Source: 444e796bc07d74246f430e63450f384ascvhost.exe.2.dr	Binary or memory string: autorun.inf
Source: scvhost.exe.2.dr	Binary or memory string: \autorun.inf
Source: scvhost.exe.2.dr	Binary or memory string: [autorun]
Source: scvhost.exe.2.dr	Binary or memory string: autorun.inf
Source: server.exe.0.dr	Binary or memory string: \autorun.inf
Source: server.exe.0.dr	Binary or memory string: [autorun]
Source: server.exe.0.dr	Binary or memory string: autorun.inf

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49704 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49704 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49705 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49705 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49705 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49705 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49714 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49714 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49714 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49714 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49715 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49715 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49715 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49715 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49717 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49717 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49719 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49719 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49720 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49720 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49721 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49721 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49722 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49722 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49722 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49722 -> 18.197.239.5:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49723 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49723 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49723 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49723 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49724 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49724 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49724 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49724 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49725 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49725 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49725 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49725 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49726 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49726 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49726 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49726 -> 3.127.138.57:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49727 -> 18.192.93.86:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49727 -> 18.192.93.86:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49727 -> 18.192.93.86:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49727 -> 18.192.93.86:12460
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49728 -> 18.192.93.86:12460
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49728 -> 18.192.93.86:12460
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49728 -> 18.192.93.86:12460
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49728 -> 18.192.93.86:12460

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 3.127.138.57 ports 12460,0,1,2,4,6
Source: global traffic	TCP traffic: 18.192.93.86 ports 12460,0,1,2,4,6
Source: global traffic	TCP traffic: 18.197.239.5 ports 12460,0,1,2,4,6

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 3.127.138.57:12460
Source: global traffic	TCP traffic: 192.168.2.5:49717 -> 18.197.239.5:12460
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 18.192.93.86:12460

Source: Joe Sandbox View	IP Address: 3.127.138.57 3.127.138.57
Source: Joe Sandbox View	IP Address: 18.192.93.86 18.192.93.86

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 2.tcp.eu.ngrok.io

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: QUuUm3J8x3.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4425655282.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUuUm3J8x3.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094298	0_2_05094298
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_0509470F	0_2_0509470F
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_0509499D	0_2_0509499D
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094630	0_2_05094630
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094936	0_2_05094936
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094544	0_2_05094544
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094B5B	0_2_05094B5B
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_050947D4	0_2_050947D4
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094269	0_2_05094269
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_050949F9	0_2_050949F9
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_050944F1	0_2_050944F1
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094C8F	0_2_05094C8F
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05095000	0_2_05095000
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094F9D	0_2_05094F9D
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05094F2F	0_2_05094F2F
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_05095459	0_2_05095459
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_0509505D	0_2_0509505D
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_0509536F	0_2_0509536F
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Code function: 0_2_050950E3	0_2_050950E3
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0175C0B0	2_2_0175C0B0
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05714298	2_2_05714298
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05714B5B	2_2_05714B5B
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05714544	2_2_05714544
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05714630	2_2_05714630
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05714936	2_2_05714936
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0571470F	2_2_0571470F
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_057144F1	2_2_057144F1
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_057149F9	2_2_057149F9
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_057147D4	2_2_057147D4
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_0571499D	2_2_0571499D
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05714287	2_2_05714287

Source: QUuUm3J8x3.exe, 00000000.00000002.1987247655.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs QUuUm3J8x3.exe

Source: QUuUm3J8x3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: QUuUm3J8x3.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@6/6@4/3

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05ED26AE AdjustTokenPrivileges,		2_2_05ED26AE
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 2_2_05ED2677 AdjustTokenPrivileges,		2_2_05ED2677

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\444e796bc07d74246f430e63450f384a
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt

Jump to behavior

Source: QUuUm3J8x3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUuUm3J8x3.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUuUm3J8x3.exe	ReversingLabs: Detection: 83%
Source: QUuUm3J8x3.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

File read: C:\Users\user\Desktop\QUuUm3J8x3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUuUm3J8x3.exe C:\Users\user\Desktop\QUuUm3J8x3.exe
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: QUuUm3J8x3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: QUuUm3J8x3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: QUuUm3J8x3.exe, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: server.exe.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: scvhost.exe.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 444e796bc07d74246f430e63450f384ascvhost.exe.2.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	File created: C:\Users\user\AppData\Local\Temp\server.exe	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe			Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUuUm3J8x3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 2217	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 6502	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 748	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 727	Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 6164	Thread sleep count: 661 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 6164	Thread sleep time: -66100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2884	Thread sleep count: 2217 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2884	Thread sleep time: -2217000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2884	Thread sleep count: 6502 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2884	Thread sleep time: -6502000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: QUuUm3J8x3.exe, 00000000.00000002.1987247655.0000000001011000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: server.exe, 00000002.00000002.4425137302.0000000001428000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: server.exe, 00000002.00000002.4425137302.0000000001428000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW="wsHttpContex
Source: netsh.exe, 00000003.00000003.2004965435.0000000000531000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QUuUm3J8x3.exe

Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"

Jump to behavior

Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:14:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:19:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/31 \| 03:05:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/06 \| 15:40:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:09:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:22:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:22:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:58:13 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 19:01:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:53:29 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:17:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:48:54 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:50:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:34:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:07:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:42:26 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:40:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:08:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:09:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:24:54 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/31 \| 03:10:26 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:22:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:20:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:32:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:26:19 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:58:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:24:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:14:10 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:10:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:12:55 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/04 \| 11:00:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:12:11 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:15:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:06:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:02:52 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:06:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:04:51 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:06:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:53:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:36:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:37:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:47:38 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:58:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:41:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:19:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/04 \| 10:44:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:19:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:03:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:34:04 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:18:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:46:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:59:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:28:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:01:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:40:52 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:11:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:52:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:33:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:03:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:50:11 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:51:50 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:51:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 13:38:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:53:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:27:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:43:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:25:31 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:45:02 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 07:02:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:35:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:33:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:23:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:02:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:39:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 20:05:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:33:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:16:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:00:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/06 \| 15:46:29 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:28:40 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:46:32 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:23:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:54:40 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:46:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 18:56:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:36:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:55:50 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:30:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:44:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:46:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:03:50 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:16:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:46:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:40:39 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 08:27:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:26:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:26:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:22:32 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:06:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:39:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:02:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:08:38 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 20:00:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:29:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:43:27 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 08:22:40 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:51:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:29:18 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:24:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:19:31 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:58:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:34:18 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:20:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:55:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:01:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:03:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:32:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:07:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:09:01 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 07:19:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:36:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:55:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:26:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:59:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:08:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:28:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:56:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/31 \| 03:28:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:26:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:25:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:22:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:39:39 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/21 \| 08:22:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/02 \| 07:14:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:20:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:19:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:45:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:02:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:47:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 10:02:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:31:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:12:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:10:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:41:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:12:26 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:55:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:04:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:25:50 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:36:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:01:29 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 07:40:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:09:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:13:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:40:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:46:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:52:19 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:01:55 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:11:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:28:54 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:11:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:38:13 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:03:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/04 \| 11:33:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:50:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/02 \| 07:08:04 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:49:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:37:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 19:18:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:43:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:39:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:29:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 19:08:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:33:54 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 08:12:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:00:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:45:49 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:31:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:41:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:47:04 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:37:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/02 \| 07:18:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:17:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:23:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:54:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:07:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:33:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:09:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:24:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:46:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:00:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:56:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:22:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:34:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:11:10 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:17:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:36:02 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:40:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:01:51 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:09:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:30:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:03:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:32:11 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:16:13 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:04:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:14:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:57:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:14:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:26:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:24:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:20:52 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:16:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:37:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:14:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:47:04 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:08:18 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:41:20 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:04:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:06:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:07:55 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:35:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:41:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:17:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:25:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:15:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:27:02 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:36:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:25:18 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:17:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:29:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:52:42 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:44:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:34:50 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 19:34:04 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 07:42:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:34:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:28:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:05:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:09:10 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:13:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:36:31 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:53:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:05:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:50:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:29:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:56:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:23:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:52:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:20:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:51:18 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:45:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:02:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:18:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:57:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:51:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:08:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:00:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:29:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:02:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:03:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:08:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:35:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:31:10 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 19:58:42 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:05:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:12:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:21:51 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:31:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:31:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:13:04 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:32:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:11:49 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:05:38 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:54:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:19:20 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:30:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:44:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:13:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 19:50:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:13:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:05:52 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:36:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:05:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:47:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:10:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:26:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:20:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:55:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:18:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:45:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:56:51 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:24:20 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:35:48 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/21 \| 20:41:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:12:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:27:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:10:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:37:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/04 \| 10:50:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:53:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:10:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:33:11 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:26:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:27:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:02:42 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:05:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:03:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:46:31 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 10:03:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:32:40 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:17:13 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:22:40 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:16:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:05:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:26:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:12:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:07:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:30:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:11:26 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:54:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:08:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:57:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:18:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:20:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:04:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:10:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:22:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:49:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:20:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:14:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:19:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:45:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:29:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:04:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:17:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:06:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:37:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 08:52:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:30:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:42:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 13:30:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 20:01:23 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:11:51 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:34:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:34:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:48:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:57:07 - Program Manager
Source: scvhost.exe.2.dr, server.exe.0.dr	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:49:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:59:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:42:18 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:38:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:13:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:54:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:05:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:33:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:53:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:27:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:18:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:45:10 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:02:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:00:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:27:31 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:16:03 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 14:22:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 18:31:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:54:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:55:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:07:38 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 03:51:49 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:48:26 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:34:55 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:42:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 18:17:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/31 \| 03:25:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:32:42 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.000000000358A000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:42:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:21:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:40:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:13:31 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:55:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:40:24 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 19:37:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:02:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:30:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:34:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:00:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 19:25:48 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:37:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:06:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:02:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/26 \| 18:49:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:06:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:22:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/31 \| 03:29:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:29:55 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:33:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:35:15 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:02:59 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:25:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:46:54 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:43:19 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:39:29 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:24:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:05:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:26:38 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/31 \| 03:30:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:48:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:36:36 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:50:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:09:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:40:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:26:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:54:49 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:28:32 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:17:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:59:29 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:01:38 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:38:50 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:32:54 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:15:29 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 10:46:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/24 \| 13:45:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:44:00 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:16:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:22:49 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 08:51:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:35:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:07:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:24:39 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:26:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:37:02 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:20:21 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:37:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:20:56 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:18:52 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:53:37 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:41:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:21:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:29:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:08:31 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 08:14:45 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:12:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:14:08 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:15:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:30:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:00:17 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/04 \| 11:28:25 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:51:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:27:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:14:49 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:24:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:03:52 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:57:30 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:44:10 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:58:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/04 \| 11:34:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:31:27 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:49:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:42:46 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/02 \| 07:06:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:49:19 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 06:58:02 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:52:14 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:54:28 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 12:29:29 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:19:12 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:35:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:43:31 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:00:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:27:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:29:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 06:43:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:29:16 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 07:16:40 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 19:35:34 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:45:44 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:33:59 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 08:04:32 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 09:47:41 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:34:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/11 \| 11:57:26 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:54:20 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:48:33 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:38:05 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:53:07 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:53:35 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:17:51 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 05:38:58 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:32:20 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 01:19:15 - Program Manager
Source: server.exe, 00000002.00000002.4425655282.0000000003619000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4425655282.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/22 \| 07:26:57 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 22:39:43 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 23/12/28 \| 23:38:06 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 02:08:01 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:59:22 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 21:20:53 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 00:32:38 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/08 \| 23:47:47 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 04:02:09 - Program Manager
Source: server.exe, 00000002.00000002.4427036735.0000000004665000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000002.00000002.4427036735.0000000005065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/01/09 \| 03:16:05 - Program Manager

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: QUuUm3J8x3.exe, Fransesco.cs	.Net Code: INS
Source: server.exe.0.dr, Fransesco.cs	.Net Code: INS
Source: scvhost.exe.2.dr, Fransesco.cs	.Net Code: INS
Source: 444e796bc07d74246f430e63450f384ascvhost.exe.2.dr, Fransesco.cs	.Net Code: INS

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\server.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: QUuUm3J8x3.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4425655282.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUuUm3J8x3.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: QUuUm3J8x3.exe, type: SAMPLE
Source: Yara match	File source: 0.0.QUuUm3J8x3.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4425655282.0000000003551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUuUm3J8x3.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 2452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
11 Replication Through Removable Media	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	11 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	41 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QUuUm3J8x3.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
QUuUm3J8x3.exe	75%	Virustotal		Browse
QUuUm3J8x3.exe	100%	Avira	TR/Dropper.Gen
QUuUm3J8x3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\server.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Local\Temp\server.exe	81%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe	81%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	81%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
2.tcp.eu.ngrok.io	12%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
2.tcp.eu.ngrok.io	3.127.138.57	true	true	12%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.127.138.57	2.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
18.192.93.86	unknown	United States	16509	AMAZON-02US	true
18.197.239.5	unknown	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1365445
Start date and time:	2023-12-21 08:21:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUuUm3J8x3.exe renamed because original name is a hash value
Original Sample Name:	b9f6511e03f2f4fa61d4fdb1964cae4f.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.evad.winEXE@6/6@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 119 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:21:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe
08:22:08	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
08:22:30	API Interceptor	599605x Sleep call for process: server.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.127.138.57	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse
	7JdbeSrZ6s.exe	Get hash	malicious	Njrat	Browse
	KcWQQO3nZP.exe	Get hash	malicious	Njrat	Browse
	zep8vTa4sg.exe	Get hash	malicious	Njrat	Browse
	umyExrpkSF.exe	Get hash	malicious	Njrat	Browse
	QBEgLAO40T.exe	Get hash	malicious	Njrat	Browse
	4KWKhZNy9w.exe	Get hash	malicious	Njrat	Browse
	yPGBUzqVE3.exe	Get hash	malicious	Njrat	Browse
	D02E3399D85D6B14B30F440181EF5B8FE6B55C403B8C7.exe	Get hash	malicious	njRat	Browse
	2dZGR4PTLu.exe	Get hash	malicious	Njrat	Browse
	LMva1J8Xkv.exe	Get hash	malicious	Njrat	Browse
	XlNjZS4E8x.exe	Get hash	malicious	Njrat	Browse
	1F3YBPagot.exe	Get hash	malicious	Nanocore	Browse
	H7mLbVb7Tm.exe	Get hash	malicious	Njrat	Browse
	ojgIfElGah.exe	Get hash	malicious	njRat	Browse
18.192.93.86	P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/
18.192.93.86	http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exe	Get hash	malicious	RedLine	Browse	2.tcp.eu.ngrok.io:17685/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2.tcp.eu.ngrok.io	81Rz15POL6.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	649DB66A36E095B16832637A31D3CCC75040C5A6C23F6.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	pQBmVoyRnw.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	EB4B6878310B1E2843C964E02EC1782AACB518E32777A.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	NezbdhNgwG.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	xdPdkPMD8u.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	1UGdjTlX5v.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	kXghM8bJcm.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	OUXkIxeP6k.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	QzzmZiGinp.exe	Get hash	malicious	Njrat	Browse	18.156.13.209
	eI43OwXSvq.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	p0zYXkMETE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	i9z1c1OtFb.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	aF73k2XwGj.exe	Get hash	malicious	Njrat	Browse	18.192.93.86
	7XyFhq6BDj.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	JYGc3o49WE.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	J6VIiRgq3w.exe	Get hash	malicious	Njrat	Browse	3.126.37.18
	cTUu5Po5Hy.exe	Get hash	malicious	Njrat	Browse	3.126.37.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	XAxaAbjIBy.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	b823dec3eeae35906a95d69d3c39ce07fe3155f2c8d4c.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	PO54623.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse	3.65.73.103
	417OeBepSx.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	j3sCauen5m.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	KincDAGGsy.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	l3OBSCwBil.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	52.67.144.119
	FksQej1gmC.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	ygM026LPMk.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	TmFDAPheaH.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	dYdjynHexU.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.119
	jCjY2PPRjw.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	BkyrjYb3HZ.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	B9COiyrHVE.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	54.94.254.242
	https://nebrina.tokyo/login	Get hash	malicious	Unknown	Browse	54.65.124.121
	https://awthore.tokyo/login	Get hash	malicious	Unknown	Browse	52.197.89.129
	https://browndoguniversity.com/americanexpress-com.connect-online.page/amexs.html	Get hash	malicious	HTMLPhisher	Browse	52.46.151.131
	https://khradifmadina.blob.core.windows.net/khradifmadina/url.html#cl/1981_md/1110/3113/675/29/234450	Get hash	malicious	HTMLPhisher	Browse	13.226.52.55
	c6hm6d746Y.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	https://khradifmadina.blob.core.windows.net/khradifmadina/unsub.html	Get hash	malicious	Unknown	Browse	34.212.165.30
AMAZON-02US	XAxaAbjIBy.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	b823dec3eeae35906a95d69d3c39ce07fe3155f2c8d4c.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	PO54623.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse	3.65.73.103
	417OeBepSx.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	j3sCauen5m.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	KincDAGGsy.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	l3OBSCwBil.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	52.67.144.119
	FksQej1gmC.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	ygM026LPMk.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	TmFDAPheaH.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	dYdjynHexU.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.119
	jCjY2PPRjw.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	BkyrjYb3HZ.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.53
	B9COiyrHVE.exe	Get hash	malicious	PayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	54.94.254.242
	https://nebrina.tokyo/login	Get hash	malicious	Unknown	Browse	54.65.124.121
	https://awthore.tokyo/login	Get hash	malicious	Unknown	Browse	52.197.89.129
	https://browndoguniversity.com/americanexpress-com.connect-online.page/amexs.html	Get hash	malicious	HTMLPhisher	Browse	52.46.151.131
	https://khradifmadina.blob.core.windows.net/khradifmadina/url.html#cl/1981_md/1110/3113/675/29/234450	Get hash	malicious	HTMLPhisher	Browse	13.226.52.55
	c6hm6d746Y.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	108.156.83.96
	https://khradifmadina.blob.core.windows.net/khradifmadina/unsub.html	Get hash	malicious	Unknown	Browse	34.212.165.30

Process:	C:\Users\user\Desktop\QUuUm3J8x3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\server.exe

Download File

Process:	C:\Users\user\Desktop\QUuUm3J8x3.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.567171410386498
Encrypted:	false
SSDEEP:	1536:yUb0MVHnHyLgq8srvwSljEwzGi1dDLDlgS:yUdHnHyLgqzrwSSi1d7y
MD5:	B9F6511E03F2F4FA61D4FDB1964CAE4F
SHA1:	BA42AA852A48F5449ABD9C66F8A1D909A5C01618
SHA-256:	C93AB6BB562F09706D141A4804E655FE92612A07BC3AB92BF1F6F7A7A9EF9DCC
SHA-512:	5EED718BA4A2325E7A2EB96EDD8A1F0F0249048FF4C92DA2FD21319E42B5A4377ABFFA01556D534971BAE811AE30CB10A57C6D0B3C8D3B64C94B86FE4D978A88
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 81%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.e.................p.............. ........@.. ....................................@.................................\|...O.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B................................................................H...........d...........................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.567171410386498
Encrypted:	false
SSDEEP:	1536:yUb0MVHnHyLgq8srvwSljEwzGi1dDLDlgS:yUdHnHyLgqzrwSSi1d7y
MD5:	B9F6511E03F2F4FA61D4FDB1964CAE4F
SHA1:	BA42AA852A48F5449ABD9C66F8A1D909A5C01618
SHA-256:	C93AB6BB562F09706D141A4804E655FE92612A07BC3AB92BF1F6F7A7A9EF9DCC
SHA-512:	5EED718BA4A2325E7A2EB96EDD8A1F0F0249048FF4C92DA2FD21319E42B5A4377ABFFA01556D534971BAE811AE30CB10A57C6D0B3C8D3B64C94B86FE4D978A88
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 81%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.e.................p.............. ........@.. ....................................@.................................\|...O.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B................................................................H...........d...........................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.567171410386498
Encrypted:	false
SSDEEP:	1536:yUb0MVHnHyLgq8srvwSljEwzGi1dDLDlgS:yUdHnHyLgqzrwSSi1d7y
MD5:	B9F6511E03F2F4FA61D4FDB1964CAE4F
SHA1:	BA42AA852A48F5449ABD9C66F8A1D909A5C01618
SHA-256:	C93AB6BB562F09706D141A4804E655FE92612A07BC3AB92BF1F6F7A7A9EF9DCC
SHA-512:	5EED718BA4A2325E7A2EB96EDD8A1F0F0249048FF4C92DA2FD21319E42B5A4377ABFFA01556D534971BAE811AE30CB10A57C6D0B3C8D3B64C94B86FE4D978A88
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 81%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.e.................p.............. ........@.. ....................................@.................................\|...O.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B................................................................H...........d...........................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\app

Download File

Process:	C:\Users\user\Desktop\QUuUm3J8x3.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:n:n
MD5:	F478C76BBB3174DBC7FABAE62224F818
SHA1:	BED239508BAD9FCD15A9BDEA1E132F62468D07D1
SHA-256:	D7A0AF52F260C87EF40BDFC1F1196FAF7797593D62C6120AE99957D78762ED1A
SHA-512:	B653AA05746C721C9129456DE3798D9E94385A0E5630C5D497FA0D6076274560885EDD5875232B40D07AAFA3F0E929E9B3BF2FF388AD2C21B3589CB01B79F94B
Malicious:	false
Reputation:	low
Preview:	.21

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.567171410386498
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	QUuUm3J8x3.exe
File size:	95'232 bytes
MD5:	b9f6511e03f2f4fa61d4fdb1964cae4f
SHA1:	ba42aa852a48f5449abd9c66f8a1d909a5c01618
SHA256:	c93ab6bb562f09706d141a4804e655fe92612a07bc3ab92bf1f6f7a7a9ef9dcc
SHA512:	5eed718ba4a2325e7a2eb96edd8a1f0f0249048ff4c92da2fd21319e42b5a4377abffa01556d534971bae811ae30cb10a57c6d0b3c8d3b64c94b86fe4d978a88
SSDEEP:	1536:yUb0MVHnHyLgq8srvwSljEwzGi1dDLDlgS:yUdHnHyLgqzrwSSi1d7y
TLSH:	C693C84977E52524E1BF56F79871F2014F34B44B1602E39E48F219AA1A33AC44F86FEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.e.................p............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x418ece
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x657F47AC [Sun Dec 17 19:10:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18e7c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16ed4	0x17000	False	0.36820652173913043	data	5.598826548599816	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.518.197.239.549722124602814860 12/21/23-08:23:50.144704	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49722	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749723124602033132 12/21/23-08:24:22.443531	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49723	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749724124602033132 12/21/23-08:24:28.186519	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49724	12460	192.168.2.5	3.127.138.57
192.168.2.518.192.93.8649727124602814856 12/21/23-08:25:32.396830	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49727	12460	192.168.2.5	18.192.93.86
192.168.2.518.192.93.8649728124602814856 12/21/23-08:25:42.081730	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49728	12460	192.168.2.5	18.192.93.86
192.168.2.53.127.138.5749725124602033132 12/21/23-08:24:57.473768	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49725	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749705124602825564 12/21/23-08:22:14.988164	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49705	12460	192.168.2.5	3.127.138.57
192.168.2.518.197.239.549722124602825564 12/21/23-08:23:50.144704	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49722	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749725124602825564 12/21/23-08:25:04.347657	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49725	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749726124602825564 12/21/23-08:25:12.545144	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49726	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749714124602814856 12/21/23-08:22:35.251444	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49714	12460	192.168.2.5	3.127.138.57
192.168.2.518.197.239.549720124602814856 12/21/23-08:23:26.504306	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49720	12460	192.168.2.5	18.197.239.5
192.168.2.518.197.239.549721124602814856 12/21/23-08:23:38.022410	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49721	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749723124602825564 12/21/23-08:24:25.802640	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49723	12460	192.168.2.5	3.127.138.57
192.168.2.518.197.239.549722124602814856 12/21/23-08:23:47.925511	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49722	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749715124602814856 12/21/23-08:22:42.115347	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49715	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749724124602825564 12/21/23-08:24:29.378929	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49724	12460	192.168.2.5	3.127.138.57
192.168.2.518.192.93.8649728124602825564 12/21/23-08:25:44.765776	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49728	12460	192.168.2.5	18.192.93.86
192.168.2.518.192.93.8649727124602825564 12/21/23-08:25:35.257122	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49727	12460	192.168.2.5	18.192.93.86
192.168.2.518.197.239.549719124602033132 12/21/23-08:23:16.402874	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49719	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749723124602814856 12/21/23-08:24:22.684180	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49723	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749714124602033132 12/21/23-08:22:35.011872	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49714	12460	192.168.2.5	3.127.138.57
192.168.2.518.197.239.549717124602033132 12/21/23-08:23:09.738672	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49717	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749715124602825564 12/21/23-08:22:45.323315	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49715	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749724124602814856 12/21/23-08:24:28.428947	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49724	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749704124602814856 12/21/23-08:22:00.806810	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49704	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749725124602814856 12/21/23-08:24:57.714176	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49725	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749714124602825564 12/21/23-08:22:39.068500	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49714	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749705124602814856 12/21/23-08:22:07.582838	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49705	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749726124602814856 12/21/23-08:25:07.565443	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49726	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749725124602814860 12/21/23-08:25:04.347657	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49725	12460	192.168.2.5	3.127.138.57
192.168.2.518.192.93.8649727124602814860 12/21/23-08:25:35.257122	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49727	12460	192.168.2.5	18.192.93.86
192.168.2.53.127.138.5749705124602814860 12/21/23-08:22:14.988164	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49705	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749714124602814860 12/21/23-08:22:39.068500	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49714	12460	192.168.2.5	3.127.138.57
192.168.2.518.192.93.8649728124602814860 12/21/23-08:25:44.765776	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49728	12460	192.168.2.5	18.192.93.86
192.168.2.53.127.138.5749726124602814860 12/21/23-08:25:12.545144	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49726	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749715124602814860 12/21/23-08:22:45.323315	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49715	12460	192.168.2.5	3.127.138.57
192.168.2.518.197.239.549717124602814856 12/21/23-08:23:09.978056	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49717	12460	192.168.2.5	18.197.239.5
192.168.2.518.197.239.549721124602033132 12/21/23-08:23:37.781323	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49721	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749723124602814860 12/21/23-08:24:25.802640	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49723	12460	192.168.2.5	3.127.138.57
192.168.2.518.197.239.549720124602033132 12/21/23-08:23:26.263437	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49720	12460	192.168.2.5	18.197.239.5
192.168.2.53.127.138.5749724124602814860 12/21/23-08:24:29.378929	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49724	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749704124602033132 12/21/23-08:22:00.564694	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49704	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749715124602033132 12/21/23-08:22:41.875520	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49715	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749726124602033132 12/21/23-08:25:07.325936	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49726	12460	192.168.2.5	3.127.138.57
192.168.2.53.127.138.5749705124602033132 12/21/23-08:22:07.341922	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49705	12460	192.168.2.5	3.127.138.57
192.168.2.518.197.239.549722124602033132 12/21/23-08:23:47.684823	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49722	12460	192.168.2.5	18.197.239.5
192.168.2.518.192.93.8649728124602033132 12/21/23-08:25:41.841463	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49728	12460	192.168.2.5	18.192.93.86
192.168.2.518.192.93.8649727124602033132 12/21/23-08:25:32.154857	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49727	12460	192.168.2.5	18.192.93.86
192.168.2.518.197.239.549719124602814856 12/21/23-08:23:16.645108	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49719	12460	192.168.2.5	18.197.239.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2023 08:22:00.245955944 CET	49704	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:00.486634970 CET	12460	49704	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:00.486823082 CET	49704	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:00.564693928 CET	49704	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:00.806716919 CET	12460	49704	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:00.806809902 CET	49704	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:01.047499895 CET	12460	49704	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:05.085464954 CET	12460	49704	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:05.128344059 CET	49704	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:07.098007917 CET	49704	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:07.099618912 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:07.340960979 CET	12460	49705	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:07.341156006 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:07.341922045 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:07.582740068 CET	12460	49705	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:07.582838058 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:07.824357033 CET	12460	49705	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:14.988163948 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:15.228750944 CET	12460	49705	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:30.393302917 CET	12460	49705	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:30.393352032 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:32.761054993 CET	12460	49705	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:32.761132002 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:34.769280910 CET	49705	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:34.771081924 CET	49714	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:35.010601044 CET	12460	49705	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:35.010751963 CET	12460	49714	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:35.010840893 CET	49714	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:35.011872053 CET	49714	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:35.251379967 CET	12460	49714	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:35.251444101 CET	49714	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:35.491035938 CET	12460	49714	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:39.068500042 CET	49714	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:39.308120966 CET	12460	49714	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:39.613670111 CET	12460	49714	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:39.613768101 CET	49714	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:41.628633976 CET	49714	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:41.630508900 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:41.868204117 CET	12460	49714	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:41.870371103 CET	12460	49715	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:41.870482922 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:41.875519991 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:42.115288973 CET	12460	49715	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:42.115346909 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:42.359000921 CET	12460	49715	3.127.138.57	192.168.2.5
Dec 21, 2023 08:22:45.323314905 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:22:45.563133001 CET	12460	49715	3.127.138.57	192.168.2.5
Dec 21, 2023 08:23:00.601593018 CET	12460	49715	3.127.138.57	192.168.2.5
Dec 21, 2023 08:23:00.601659060 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:23:07.288424015 CET	12460	49715	3.127.138.57	192.168.2.5
Dec 21, 2023 08:23:07.288494110 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:23:09.300606966 CET	49715	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:23:09.497400999 CET	49717	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:09.540400028 CET	12460	49715	3.127.138.57	192.168.2.5
Dec 21, 2023 08:23:09.736746073 CET	12460	49717	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:09.736854076 CET	49717	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:09.738672018 CET	49717	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:09.977971077 CET	12460	49717	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:09.978055954 CET	49717	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:10.217565060 CET	12460	49717	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:14.146172047 CET	12460	49717	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:14.146370888 CET	49717	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:16.159847975 CET	49717	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:16.161350012 CET	49719	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:16.399204016 CET	12460	49717	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:16.401511908 CET	12460	49719	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:16.401595116 CET	49719	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:16.402873993 CET	49719	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:16.645008087 CET	12460	49719	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:16.645107985 CET	49719	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:16.885365963 CET	12460	49719	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:24.012372971 CET	12460	49719	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:24.012558937 CET	49719	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:26.019226074 CET	49719	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:26.021666050 CET	49720	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:26.259324074 CET	12460	49719	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:26.262259007 CET	12460	49720	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:26.262456894 CET	49720	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:26.263437033 CET	49720	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:26.504117966 CET	12460	49720	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:26.504306078 CET	49720	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:26.744879961 CET	12460	49720	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:35.098226070 CET	12460	49720	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:35.237926960 CET	49720	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:37.536823034 CET	49720	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:37.538399935 CET	49721	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:37.779804945 CET	12460	49721	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:37.779913902 CET	49721	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:37.781322956 CET	49721	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:38.022300005 CET	12460	49721	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:38.022409916 CET	49721	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:38.263457060 CET	12460	49721	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:45.429939985 CET	12460	49721	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:45.430012941 CET	49721	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:47.441390038 CET	49721	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:47.442744970 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:47.682557106 CET	12460	49721	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:47.683811903 CET	12460	49722	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:47.683887005 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:47.684823036 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:47.925419092 CET	12460	49722	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:47.925510883 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:48.166184902 CET	12460	49722	18.197.239.5	192.168.2.5
Dec 21, 2023 08:23:50.144704103 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:23:50.385606050 CET	12460	49722	18.197.239.5	192.168.2.5
Dec 21, 2023 08:24:05.454592943 CET	12460	49722	18.197.239.5	192.168.2.5
Dec 21, 2023 08:24:05.454668999 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:24:19.956438065 CET	12460	49722	18.197.239.5	192.168.2.5
Dec 21, 2023 08:24:19.956568956 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:24:21.966917992 CET	49722	12460	192.168.2.5	18.197.239.5
Dec 21, 2023 08:24:22.201752901 CET	49723	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:22.207576990 CET	12460	49722	18.197.239.5	192.168.2.5
Dec 21, 2023 08:24:22.442358971 CET	12460	49723	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:22.442517042 CET	49723	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:22.443531036 CET	49723	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:22.684086084 CET	12460	49723	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:22.684180021 CET	49723	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:22.924695015 CET	12460	49723	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:25.802639961 CET	49723	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:25.927581072 CET	12460	49723	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:25.927670002 CET	49723	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:26.043123960 CET	12460	49723	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:26.168059111 CET	12460	49723	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:27.942872047 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:28.185393095 CET	12460	49724	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:28.185486078 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:28.186518908 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:28.428850889 CET	12460	49724	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:28.428946972 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:28.671372890 CET	12460	49724	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:29.378928900 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:29.621196985 CET	12460	49724	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:44.638381004 CET	12460	49724	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:44.638483047 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:54.714807034 CET	12460	49724	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:54.714905024 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:57.223289013 CET	49724	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:57.224847078 CET	49725	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:57.469750881 CET	12460	49725	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:57.469769955 CET	12460	49724	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:57.469886065 CET	49725	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:57.473767996 CET	49725	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:57.714098930 CET	12460	49725	3.127.138.57	192.168.2.5
Dec 21, 2023 08:24:57.714175940 CET	49725	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:24:57.954216957 CET	12460	49725	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:04.347656965 CET	49725	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:04.588474989 CET	12460	49725	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:05.080512047 CET	12460	49725	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:05.238044024 CET	49725	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:07.081904888 CET	49725	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:07.083302975 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:07.322840929 CET	12460	49726	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:07.323015928 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:07.325936079 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:07.565390110 CET	12460	49726	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:07.565443039 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:07.804862976 CET	12460	49726	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:12.545144081 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:12.787326097 CET	12460	49726	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:27.805676937 CET	12460	49726	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:27.805721045 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:29.745826960 CET	12460	49726	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:29.745901108 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:31.755338907 CET	49726	12460	192.168.2.5	3.127.138.57
Dec 21, 2023 08:25:31.913546085 CET	49727	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:31.994894981 CET	12460	49726	3.127.138.57	192.168.2.5
Dec 21, 2023 08:25:32.153824091 CET	12460	49727	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:32.153892040 CET	49727	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:32.154856920 CET	49727	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:32.396737099 CET	12460	49727	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:32.396830082 CET	49727	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:32.637514114 CET	12460	49727	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:35.257122040 CET	49727	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:35.498989105 CET	12460	49727	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:39.593806982 CET	12460	49727	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:39.593930960 CET	49727	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:41.597737074 CET	49727	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:41.599987030 CET	49728	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:41.838534117 CET	12460	49727	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:41.840390921 CET	12460	49728	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:41.840492010 CET	49728	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:41.841463089 CET	49728	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:42.081593990 CET	12460	49728	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:42.081729889 CET	49728	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:42.321876049 CET	12460	49728	18.192.93.86	192.168.2.5
Dec 21, 2023 08:25:44.765775919 CET	49728	12460	192.168.2.5	18.192.93.86
Dec 21, 2023 08:25:45.005779982 CET	12460	49728	18.192.93.86	192.168.2.5
Dec 21, 2023 08:26:00.146995068 CET	12460	49728	18.192.93.86	192.168.2.5
Dec 21, 2023 08:26:00.147047997 CET	49728	12460	192.168.2.5	18.192.93.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2023 08:22:00.101906061 CET	60747	53	192.168.2.5	1.1.1.1
Dec 21, 2023 08:22:00.243022919 CET	53	60747	1.1.1.1	192.168.2.5
Dec 21, 2023 08:23:09.301723957 CET	55639	53	192.168.2.5	1.1.1.1
Dec 21, 2023 08:23:09.495954990 CET	53	55639	1.1.1.1	192.168.2.5
Dec 21, 2023 08:24:21.968174934 CET	56614	53	192.168.2.5	1.1.1.1
Dec 21, 2023 08:24:22.200453997 CET	53	56614	1.1.1.1	192.168.2.5
Dec 21, 2023 08:25:31.756707907 CET	54634	53	192.168.2.5	1.1.1.1
Dec 21, 2023 08:25:31.897093058 CET	53	54634	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2023 08:22:00.101906061 CET	192.168.2.5	1.1.1.1	0x3a53	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 21, 2023 08:23:09.301723957 CET	192.168.2.5	1.1.1.1	0x6b89	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 21, 2023 08:24:21.968174934 CET	192.168.2.5	1.1.1.1	0xd89c	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Dec 21, 2023 08:25:31.756707907 CET	192.168.2.5	1.1.1.1	0x21f3	Standard query (0)	2.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 21, 2023 08:22:00.243022919 CET	1.1.1.1	192.168.2.5	0x3a53	No error (0)	2.tcp.eu.ngrok.io	3.127.138.57	A (IP address)	IN (0x0001)	false
Dec 21, 2023 08:23:09.495954990 CET	1.1.1.1	192.168.2.5	0x6b89	No error (0)	2.tcp.eu.ngrok.io	18.197.239.5	A (IP address)	IN (0x0001)	false
Dec 21, 2023 08:24:22.200453997 CET	1.1.1.1	192.168.2.5	0xd89c	No error (0)	2.tcp.eu.ngrok.io	3.127.138.57	A (IP address)	IN (0x0001)	false
Dec 21, 2023 08:25:31.897093058 CET	1.1.1.1	192.168.2.5	0x21f3	No error (0)	2.tcp.eu.ngrok.io	18.192.93.86	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:21:52
Start date:	21/12/2023
Path:	C:\Users\user\Desktop\QUuUm3J8x3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\QUuUm3J8x3.exe
Imagebase:	0x8c0000
File size:	95'232 bytes
MD5 hash:	B9F6511E03F2F4FA61D4FDB1964CAE4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1968331201.00000000008C2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1988085134.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:21:54
Start date:	21/12/2023
Path:	C:\Users\user\AppData\Local\Temp\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server.exe"
Imagebase:	0xf40000
File size:	95'232 bytes
MD5 hash:	B9F6511E03F2F4FA61D4FDB1964CAE4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.4425655282.0000000003551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs Detection: 81%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:21:55
Start date:	21/12/2023
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:21:56
Start date:	21/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 05094298 Relevance: 3.2, Strings: 1, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 05094C24

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 610da42a3b2dffbb861b32ca7fc57bd93377d256b4760a8c2684d5c19554daea
Instruction ID: baee2211a76c4e2ee559911997526fe7ca1d61e7d09d7afb9cea71fda2a566c3
Opcode Fuzzy Hash: 610da42a3b2dffbb861b32ca7fc57bd93377d256b4760a8c2684d5c19554daea
Instruction Fuzzy Hash: 01232974A01228CFDB69EB35D854BADB7B2BF48304F1041E9E9096B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05094269 Relevance: 3.0, Strings: 1, Instructions: 1764
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5fc5f09a234bccf7663e467ecca96e5c99e58d176546bc10e28f645ce16eb371
Instruction ID: e0c3c1ab0ff311cdd51be7607b6abd73ad724b7c2b875eb41e2d18281ea966d4
Opcode Fuzzy Hash: 5fc5f09a234bccf7663e467ecca96e5c99e58d176546bc10e28f645ce16eb371
Instruction Fuzzy Hash: 52131974A01228CFDB29EF31D854BADB7B2BB48304F1041E9E9496B3A9DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010CAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010CAB25

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f5a1f5628017c9971fffee058a9b5a39ab42e60d6b55528121031ceb5b015d6a
Instruction ID: 0d4550b8d1e3c4f5bc14ee6ba9c23733f3424f0a91203d1491975cf079c1daa0
Opcode Fuzzy Hash: f5a1f5628017c9971fffee058a9b5a39ab42e60d6b55528121031ceb5b015d6a
Instruction Fuzzy Hash: BE316071505344AFE722CF65CC85F56BFF8EF05614F08889EE9858B652D365E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010CB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 010CB0DD

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d682c19891c405133ca158f26f3e85c3f1951981d34d52bda9999e73172dfc92
Instruction ID: 72fb0a2871e5e6430f09b806cde40142c5581763c65cb381c7c9c0191fa3443d
Opcode Fuzzy Hash: d682c19891c405133ca158f26f3e85c3f1951981d34d52bda9999e73172dfc92
Instruction Fuzzy Hash: 773172715093805FE721CB25DC45B96BFF8EF16614F08849AE9848B293D365E909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 010CA6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 010CA77E

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: dc169d1927ffc854016135cb740e98d11cc3996bdddd6cc8d78f2380c1f0d256
Instruction ID: 520a2a535525a6d4232da1d83476bf5c0e57a777a2d27905d1856bc50fa0f27c
Opcode Fuzzy Hash: dc169d1927ffc854016135cb740e98d11cc3996bdddd6cc8d78f2380c1f0d256
Instruction Fuzzy Hash: 9E31717114E3C06FD3138B259C61B61BFB4EF87610F0A80CBE884CB5A3D2256919D772

Uniqueness

Uniqueness Score: -1.00%

Function 010CAE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,A8DEAFEC,00000000,00000000,00000000,00000000), ref: 010CAF0D

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6987f23d8f5fdafe0f849fdc36c774e8b041ea3568a9299e9020ee5360930d3e
Instruction ID: d97068e3248e1fdd6bf01870dfd68d454f83da1ff4f7fa23b13ad8e06387690d
Opcode Fuzzy Hash: 6987f23d8f5fdafe0f849fdc36c774e8b041ea3568a9299e9020ee5360930d3e
Instruction Fuzzy Hash: B121B1B2509380AFD722CB61DC44F96BFB8EF56714F0884DAE9848F193D274A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010CAAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010CAB25

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c6581c949dc6813acd42b3de43dbcd2de03834a0ce0a892c856f2c0ea1457161
Instruction ID: 22498643ea16caf7be3c1195a272e2889d622086e7ac7be160271552522d941d
Opcode Fuzzy Hash: c6581c949dc6813acd42b3de43dbcd2de03834a0ce0a892c856f2c0ea1457161
Instruction Fuzzy Hash: E7219271600204AFE761DF65CD45F6AFBE8EF14724F04886DEA858B652E375E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010CA9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 010CAA44

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cc3fe40955252f36565ebd172fee0de69afaac9e28494183b00c8644a6e3204d
Instruction ID: 7432f9b9183d6d32818c0162114a4b3d6f34877608385c1aec8a2979e424d5a2
Opcode Fuzzy Hash: cc3fe40955252f36565ebd172fee0de69afaac9e28494183b00c8644a6e3204d
Instruction Fuzzy Hash: 8A21486550E3C4AFD7138B258C64A51BFB4EF53624F0E80DBE884CF5A3D2689809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 010CAC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,A8DEAFEC,00000000,00000000,00000000,00000000), ref: 010CACBD

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d7a5ea92a75f0d0d98eb591a8f02ab59ae209b0325c48145ff27137e772ecb42
Instruction ID: 4bfb9ef90480e141ea1ffde0b38cac1c3f52e5297c7d49183d96050cdf56a1ca
Opcode Fuzzy Hash: d7a5ea92a75f0d0d98eb591a8f02ab59ae209b0325c48145ff27137e772ecb42
Instruction Fuzzy Hash: D621F3B54093846FE7128B119C80BA6BFB8EF52724F0880DAF9848B293D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 010CB06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 010CB0DD

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7069e0837157a515e45d02650e1dd273071f4231ff3a82831a6ea2902be160a7
Instruction ID: 7162049b288a427b826f8e4d66baeb64793c6d510a2f6ffeee63ee7a47a0d3e8
Opcode Fuzzy Hash: 7069e0837157a515e45d02650e1dd273071f4231ff3a82831a6ea2902be160a7
Instruction Fuzzy Hash: FF2180716012049FE720DB69DC46BAAFBE8EF14624F1484ADED858B742D775E408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 010CAB7C Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 010CABF0

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5a0bacf1aaea93da36c8a858f1040f84ac0550c81557af1e0967a107cc93a326
Instruction ID: b49b21830f846ab18e5f2d77466a938fac95aabb887bf3df46af7e050911f4a5
Opcode Fuzzy Hash: 5a0bacf1aaea93da36c8a858f1040f84ac0550c81557af1e0967a107cc93a326
Instruction Fuzzy Hash: 3021D4B55097C49FD7128B29DC94752BFB4EF03320F0984DBEC858B5A3D224A808C762

Uniqueness

Uniqueness Score: -1.00%

Function 010CA61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 010CA690

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6d537a93794988619964080b659d50a301e49d564d209fc010280fe1820769e4
Instruction ID: 51c4b5be00d0ad1f3718f23dff6484113f56ea9866776d010b21f7aaea66ddc2
Opcode Fuzzy Hash: 6d537a93794988619964080b659d50a301e49d564d209fc010280fe1820769e4
Instruction Fuzzy Hash: AA21587150D3C49FDB138B259C94A56BFB4DF47224F0984DBEC848F1A3D269A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 010CA573 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CA5DE

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8c4023e2797152ae2737e907f307c8b6976c91faf003f404bdd6629805d5fd15
Instruction ID: b53260df71c8f75d48f093602efc91a9da7893ed2ad68f38dec5908c9ca15bdb
Opcode Fuzzy Hash: 8c4023e2797152ae2737e907f307c8b6976c91faf003f404bdd6629805d5fd15
Instruction Fuzzy Hash: C311A271508380AFDB228F54DC44A66FFF4EF4A310F0888DEED858B563D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 010CAEAE Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,A8DEAFEC,00000000,00000000,00000000,00000000), ref: 010CAF0D

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 305f371be7e80711f2892a738de83ea157ba49d2c06b612d96009a4b2923d56e
Instruction ID: 627a528bdb46aef5b55fd2a654568e95547ddf457a85ab79baab1409ee6f6ecd
Opcode Fuzzy Hash: 305f371be7e80711f2892a738de83ea157ba49d2c06b612d96009a4b2923d56e
Instruction Fuzzy Hash: DC11C471600204EFEB21CF95DC44FAAFBE8EF14724F04849EE9458B651D375E4098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 010CB424 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 010CB480

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 484a6319279c901becf9aa6235e7474b6f49c99641ec05a5153784fb3bbadaa0
Instruction ID: 5637292091e1be709333066115a18c0033f7eb158d13a894e0b5857974650da4
Opcode Fuzzy Hash: 484a6319279c901becf9aa6235e7474b6f49c99641ec05a5153784fb3bbadaa0
Instruction Fuzzy Hash: 67115E715093849FDB12CB29DC95B56BFF89F46620F0884EAED85CB252D264E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010CAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,A8DEAFEC,00000000,00000000,00000000,00000000), ref: 010CACBD

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ac5314ac64671d0f5c7d73e3c8fc3f52db7a8f9761c3a128cec5c9bc814a54c1
Instruction ID: c8e6b100fe76c2f674f53be517ad2fb8b699fbd12e30e64a57571f5ae7e341e8
Opcode Fuzzy Hash: ac5314ac64671d0f5c7d73e3c8fc3f52db7a8f9761c3a128cec5c9bc814a54c1
Instruction Fuzzy Hash: E401D271604208AFE720CB05DC85BAAFBECDF65B24F04C09AED448B742D774E5088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 010CB446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 010CB480

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: da34d54af85bca59af90bd5ff1cf49b1106953664a6bb794cd0e74dd0517263c
Instruction ID: 7bdd5f50c891b4312e32b4affe7be0893c2717305509958a8cf631120bf0826a
Opcode Fuzzy Hash: da34d54af85bca59af90bd5ff1cf49b1106953664a6bb794cd0e74dd0517263c
Instruction Fuzzy Hash: EC0180716042048FDB50CF69D88675AFBE8DF05664F08C4AEED89CB652D774E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010CA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010CA5DE

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6ab685cc0226a7fcfa57cc3d8fa982892a7e7db22a858aee1d9d4865a6002295
Instruction ID: 963372d2d9bc9232702b32b078def24d5e1c1565e0801aecb4065bbaeb36e803
Opcode Fuzzy Hash: 6ab685cc0226a7fcfa57cc3d8fa982892a7e7db22a858aee1d9d4865a6002295
Instruction Fuzzy Hash: 7A015A715002049FDB218F55D844B5AFFE4EF58720F08889EEE854B612D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 010CA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 010CA77E

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f1b79650319d7358430e69d9cb931ac8b4111c4fe04a3cf334e429bf3e607835
Instruction ID: 743c248fb8db2c0d998c420264abfaf6bc878ed4fdd32664dbe1d04f7590d337
Opcode Fuzzy Hash: f1b79650319d7358430e69d9cb931ac8b4111c4fe04a3cf334e429bf3e607835
Instruction Fuzzy Hash: 6701A271600200ABD320DF16CC46B66FBE8FB88A20F148159EC089BB41D771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 010CABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 010CABF0

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2dd48f375885be5bc0493a50fc3fe79b840260c322115205825e20bf1e06fe3f
Instruction ID: 54a80da968953b849b1d829aef5f06b49707fa11b4004a80eb0b08a0432eeb28
Opcode Fuzzy Hash: 2dd48f375885be5bc0493a50fc3fe79b840260c322115205825e20bf1e06fe3f
Instruction Fuzzy Hash: B5017C71604248DFDB108F59D8857AAFBE8DF05724F08C4AEED498B652E375E408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 010CA65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 010CA690

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a8f5816b0ab2b0f810b933bae9a8ed245ada888290389051c50ff7b259317921
Instruction ID: 594166eaacb371a24649794f714fb8df20927bfa2d2e5646f308e98ca645e318
Opcode Fuzzy Hash: a8f5816b0ab2b0f810b933bae9a8ed245ada888290389051c50ff7b259317921
Instruction Fuzzy Hash: 6B017C716042449FDB10CF55D88575AFBE4DF55724F08C4AADD898B252D379A4088EA2

Uniqueness

Uniqueness Score: -1.00%

Function 010CAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010CAA44

Memory Dump Source

Source File: 00000000.00000002.1987453935.00000000010CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ca000_QUuUm3J8x3.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bf7843f2d983eb280692f88f1a27c5df813bb22ce055f7cb91dc412d0ca691c9
Instruction ID: a92f30bcdb622f3782a015e0021b05aeb3cfcc9834717a0e71ad1e3754a30fa8
Opcode Fuzzy Hash: bf7843f2d983eb280692f88f1a27c5df813bb22ce055f7cb91dc412d0ca691c9
Instruction Fuzzy Hash: F8F0F431600244DFDB208F09D985769FBE4DF04724F08C09EED444B752D378E508CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 05093804 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7867ffdf56bee66df40511fc630f58483a9770e50cdc229f90a108ec2c3814
Instruction ID: 780186aa556385271a0b12123e29b50fbd1245e0a2ceb4cb2a9dcd70039d3286
Opcode Fuzzy Hash: 6c7867ffdf56bee66df40511fc630f58483a9770e50cdc229f90a108ec2c3814
Instruction Fuzzy Hash: 9732F830A01228CFDB18EF75D855BEDB7B2BB49304F1045A9E509AB399DB359E85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 050939BF Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3f1d35886ee4c54a299042d6fdeb596bbe8b959adf06474bf5cdb91ffe3c81
Instruction ID: 71ca78b2a378bca8ecfe8fa72bdb7c6fe54100713eec640459c9975d92eb6614
Opcode Fuzzy Hash: ba3f1d35886ee4c54a299042d6fdeb596bbe8b959adf06474bf5cdb91ffe3c81
Instruction Fuzzy Hash: 65815C30A012288FDB18EFB5D854BEDB7B2BF89304F0045A9E509AB398DB755D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05093B18 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9c0f21e2e1df7946ac5370ee1a7c0f7e97e9d4d6dcd035124d9e3ee973afb6
Instruction ID: a9f6b03b92cacbe308defd15af795bf5459d370a7278c57211686961c1941624
Opcode Fuzzy Hash: 5d9c0f21e2e1df7946ac5370ee1a7c0f7e97e9d4d6dcd035124d9e3ee973afb6
Instruction Fuzzy Hash: 09415D30A00218CFDB14EBB5D954BECB7B2BF59304F1045AEE005AB295CB755E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05090958 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98191415cca7b5f23efa4721cdb92511aeada7bab8b6e05233dd3cde09083edc
Instruction ID: a35f95b9cef1099f9365e648d618ab1f0977e4f8301bd781c8b7d2e6641c1f8d
Opcode Fuzzy Hash: 98191415cca7b5f23efa4721cdb92511aeada7bab8b6e05233dd3cde09083edc
Instruction Fuzzy Hash: 3131C731B012218FDB44BB75D8257BE33A69FD8208F104429D415DB7E8EF398D059BD1

Uniqueness

Uniqueness Score: -1.00%

Function 050900B8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28e58259bed568a6f5ca5b7b5c387328422f604fb9a46302c87e5efd5c5826e
Instruction ID: 4edb5f91570eda45c3518686903c31eec615c8ed63e4f55714d6bb12c52320b9
Opcode Fuzzy Hash: f28e58259bed568a6f5ca5b7b5c387328422f604fb9a46302c87e5efd5c5826e
Instruction Fuzzy Hash: DE3105327053419FD715AB769811BAD3F67AFD2248F1885AEE081DF292CF7A4C46C391

Uniqueness

Uniqueness Score: -1.00%

Function 05090118 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be6db9552bcc882fd05f1279ac9d99950680d47da437974d80a0e0a8e24e5cf
Instruction ID: e5a12abbfeff55b77115ee11e9371d25f9515b5b524f61397694ff0d813edcd8
Opcode Fuzzy Hash: 0be6db9552bcc882fd05f1279ac9d99950680d47da437974d80a0e0a8e24e5cf
Instruction Fuzzy Hash: F611C2327052918FC325B776A4106AD3FA36BE624835844AEE081DF366CF7A8C49C792

Uniqueness

Uniqueness Score: -1.00%

Function 05090080 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e9588c7de38ee2338a4f5737d4c2a7fa7e4225be59a322b3f5600ce24ae3c2
Instruction ID: 9f4305d4e2e72220ceb79b08a5ff1d66a4af30c0d851cca99df51098caee6660
Opcode Fuzzy Hash: d4e9588c7de38ee2338a4f5737d4c2a7fa7e4225be59a322b3f5600ce24ae3c2
Instruction Fuzzy Hash: A801D672A05341AFEB059BB0CC5179E3F72EF43214F0840AFD184DB1D2EA795845C750

Uniqueness

Uniqueness Score: -1.00%

Function 012A05E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987828130.00000000012A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d20076e1bb932581aa9cd5a3a95ee0354b179d07dfa1849d4c8e63b1c9b635
Instruction ID: 46086d8139bcaa0613ef250fb53e0029888d686dea384799eb66fac6b03016d3
Opcode Fuzzy Hash: c9d20076e1bb932581aa9cd5a3a95ee0354b179d07dfa1849d4c8e63b1c9b635
Instruction Fuzzy Hash: A2F086B65093805FD7118B16AC41863FFE8DB96630719C49FFC49CB612D225A809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05090879 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15856bb45ae677c0a03e9505a37cc17dd8ad99b05bd7272290c80974584c3429
Instruction ID: 609fd23ec75c67d987004fef766b9888bd1c2a45076d58a200acc765e6a05fec
Opcode Fuzzy Hash: 15856bb45ae677c0a03e9505a37cc17dd8ad99b05bd7272290c80974584c3429
Instruction Fuzzy Hash: F3014C306063428FCB00EF74D55849D77E2AFD8248B50885DF9C5DBB69EF7598488B42

Uniqueness

Uniqueness Score: -1.00%

Function 012A0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987828130.00000000012A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed879c7e0e74ea7788e00068d66be772210a447d6230091c77b40209f485b59
Instruction ID: 05f43a3155d42ba483e0007927c2143054c3fce6d07329bd7e1e18844aa9da82
Opcode Fuzzy Hash: aed879c7e0e74ea7788e00068d66be772210a447d6230091c77b40209f485b59
Instruction Fuzzy Hash: 55E092B66046044B9750DF0AEC41456FBE8EB84630B08C07FEC0D8BB01D676B909CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 050936A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d58f524509fe4b6bd1e95cd4d9fdfb7ef9ed6c2a06436f18d1d0014cd28f15
Instruction ID: 97c448f8b24b60052c493f18704247891f0b404dbc6fae99f89269c2670991bc
Opcode Fuzzy Hash: 94d58f524509fe4b6bd1e95cd4d9fdfb7ef9ed6c2a06436f18d1d0014cd28f15
Instruction Fuzzy Hash: DEE0EC311173808FC7171770A1180583B319F8730D35408EFD485CEAABD63B9886C700

Uniqueness

Uniqueness Score: -1.00%

Function 010C23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987443080.00000000010C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c2000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4205279257610a071ed83d4e415bfd2803fc22e41fe2bd873c433a538709fb5a
Instruction ID: 429ad27cdd685d132762577438a582ad6c71205339bedea5448fa235b5436aba
Opcode Fuzzy Hash: 4205279257610a071ed83d4e415bfd2803fc22e41fe2bd873c433a538709fb5a
Instruction Fuzzy Hash: A8D05E7A2056D14FE3169B1CC1A4B9D7BE4AB61B14F4A44FDAC408BB63CB68D5D1DA00

Uniqueness

Uniqueness Score: -1.00%

Function 010C23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987443080.00000000010C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c2000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e33f493df87d8eddb4c13e57fa428c914ffba81cccf337283d5e18b2ff347e3
Instruction ID: 3e37fd5392b668e872d1b886e8e94e3927fac8f17535e9effe9d344c18bd57d3
Opcode Fuzzy Hash: 2e33f493df87d8eddb4c13e57fa428c914ffba81cccf337283d5e18b2ff347e3
Instruction Fuzzy Hash: 3CD05E343002814BD715DB0CC6D5F5D3BD4AB50B14F0684ECAC508BB62C7A4D8C0CE00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 050944F1 Relevance: 2.9, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f47cdad9474f23805fa1570abccfa1740f48e98bb7bb93676340c164e3836118
Instruction ID: 7201dfcfda89cb814e004246198d28d2dea54adcd5a7a4c0dde4ce600180bbb6
Opcode Fuzzy Hash: f47cdad9474f23805fa1570abccfa1740f48e98bb7bb93676340c164e3836118
Instruction Fuzzy Hash: 6C031974A01228CFDB29EF31D855BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05094544 Relevance: 2.9, Strings: 1, Instructions: 1618COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 75c16d32cd47da459f5a085b41186d8472cfd34549b9ec2ea3775da93b1c1d57
Instruction ID: f72a7e43e99b12b13f229ed25398c5db2f630019d4f37ddf240dd1370f18dd09
Opcode Fuzzy Hash: 75c16d32cd47da459f5a085b41186d8472cfd34549b9ec2ea3775da93b1c1d57
Instruction Fuzzy Hash: 23031974A01228CFDB29EF31D855BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05094630 Relevance: 2.8, Strings: 1, Instructions: 1579COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fd151ebb72e2c2adb5640e7d7b6f0472b97dd14ac6322d077d13aacc3acfcce1
Instruction ID: f5960d48e37e92af071623d11b2a61332fa5d4ddba1b2234b9258ee8b0a57737
Opcode Fuzzy Hash: fd151ebb72e2c2adb5640e7d7b6f0472b97dd14ac6322d077d13aacc3acfcce1
Instruction Fuzzy Hash: E4031974A01228CFDB69EF31D854BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0509470F Relevance: 2.8, Strings: 1, Instructions: 1544COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5321a169aa11ed2bca9a989d21ebf489ac48c6ef689de3e98886bee789aa89df
Instruction ID: d6b81c40047ad7656af5ed5ee9c4bdfd47f31928d7b0482bb01695039b295ee9
Opcode Fuzzy Hash: 5321a169aa11ed2bca9a989d21ebf489ac48c6ef689de3e98886bee789aa89df
Instruction Fuzzy Hash: C7F21974A01228CFDB29EF31D854BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 050947D4 Relevance: 2.8, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 079aa03f4caa4b2fe8e973033c750ed8fa38366fd3774545fc1d0b041478f540
Instruction ID: 38842b392223fa4f7ed76c8ccdc1708b8f1f7d7d8b61bf3fc3aa05b168507d91
Opcode Fuzzy Hash: 079aa03f4caa4b2fe8e973033c750ed8fa38366fd3774545fc1d0b041478f540
Instruction Fuzzy Hash: 0AF22974A01228CFDB29EF31D854BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05094936 Relevance: 2.7, Strings: 1, Instructions: 1456COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fb662914f1f510668b2df690ba02a328a7a6deaa94a650849f0e97898197f349
Instruction ID: 14663b19252c4131d1e805c1605f5782c33c7a08717ef5c49375e1651ddb3903
Opcode Fuzzy Hash: fb662914f1f510668b2df690ba02a328a7a6deaa94a650849f0e97898197f349
Instruction Fuzzy Hash: 3AF22974A05228CFDB29EF31D854BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0509499D Relevance: 2.7, Strings: 1, Instructions: 1447COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6557fc49b2902bd604b99a8da0a1a94023abc9f11e57a404ac4f5545a56ec35c
Instruction ID: 93509e8e4852330d2c25722d90e973a42d95f7b430fab0aabc0d4e2257932bff
Opcode Fuzzy Hash: 6557fc49b2902bd604b99a8da0a1a94023abc9f11e57a404ac4f5545a56ec35c
Instruction Fuzzy Hash: 95F22974A01228CFDB69EF31D854BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 050949F9 Relevance: 2.7, Strings: 1, Instructions: 1440COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 602599384b00a886ef9174aa9d4c01a4a2d6451b6999c5a702b9982c7ea7c6ed
Instruction ID: 0d83749fa35a955262480db548daad8555b94ab0d55e784177573e041273ace1
Opcode Fuzzy Hash: 602599384b00a886ef9174aa9d4c01a4a2d6451b6999c5a702b9982c7ea7c6ed
Instruction Fuzzy Hash: 71F21974A01228CFDB69EF31D854BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05094B5B Relevance: 2.6, Strings: 1, Instructions: 1383COMMON

Download Yara Rule

Strings

, xrefs: 05094BC4

Memory Dump Source

Source File: 00000000.00000002.1988208692.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5090000_QUuUm3J8x3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a9f46ab52f5f6c4d165fbcd8d32812c9faba7a94c555fe6480ffed86316de41d
Instruction ID: 0aa4ee61c6d034d9d2d3e5e32dbecd9c6a7a3fd0fe50f7a0088bf9ae62458e3b
Opcode Fuzzy Hash: a9f46ab52f5f6c4d165fbcd8d32812c9faba7a94c555fe6480ffed86316de41d
Instruction Fuzzy Hash: 9EE21974A01228CFDB69EF31D854BADB7B2BB48304F1041E9E9496B3A8DB355E81CF51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: server.exePID: 2452, Parent PID: 6412COMMON

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.4%
Total number of Nodes:	123
Total number of Limit Nodes:	4

Executed Functions

Function 05ED2677 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05ED26F7

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b9c1be93f9279a4c68f499d175c58bf3e8970b922323efa102d647fbf45cb1fa
Instruction ID: 927605b119ad1919099a0f664ed7a27f439a011cbe2790aabfd95222841f88e2
Opcode Fuzzy Hash: b9c1be93f9279a4c68f499d175c58bf3e8970b922323efa102d647fbf45cb1fa
Instruction Fuzzy Hash: 6F219F765097809FEB228F25DC44B52BFB4FF06314F0884DAE9858F563D271E918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05ED26AE Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05ED26F7

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: cb796d935bdba69ec74c01064d9386ba39a1a47d80946d84d5963b0814c31024
Instruction ID: 2d72aef91a68a419e1288eddca69a0b7c1aa827eea4dbbd289366d544f0b37c5
Opcode Fuzzy Hash: cb796d935bdba69ec74c01064d9386ba39a1a47d80946d84d5963b0814c31024
Instruction Fuzzy Hash: E7118C366002009FEB20CF55D844B66FBE8EF04324F08C4AAEE868B652D331E418DF71

Uniqueness

Uniqueness Score: -1.00%

Function 05718D80 Relevance: 1.8, APIs: 1, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05718DBA

Memory Dump Source

Source File: 00000002.00000002.4432946696.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5710000_server.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b00d498d084f85fc74f73faff72227e4a023dba031a301a3c5ca6e19397158c3
Instruction ID: 26d19148c707bc944789ff5b46cb65975258f6a1c4d8e72513b1b10f4564b7f8
Opcode Fuzzy Hash: b00d498d084f85fc74f73faff72227e4a023dba031a301a3c5ca6e19397158c3
Instruction Fuzzy Hash: 6ED11C31A00205DFCB09DFB5E461AAD77BAFF88344B118429E816973A4DF399C46EF90

Uniqueness

Uniqueness Score: -1.00%

Function 05718D6F Relevance: 1.8, APIs: 1, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05718DBA

Memory Dump Source

Source File: 00000002.00000002.4432946696.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5710000_server.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0fdc088e119e34b2ff49a676b1990a1c473829aa748f61c67b1509593b83607c
Instruction ID: 29246ceb65b18b2442e8d8a096ca5ece8fc6b6bc0b0323e92e4bace0a78d1bce
Opcode Fuzzy Hash: 0fdc088e119e34b2ff49a676b1990a1c473829aa748f61c67b1509593b83607c
Instruction Fuzzy Hash: 3BA12931A00205DFCB09DBB4E461A6E77B6FF88344F118469E816973B4DB399C8AEF50

Uniqueness

Uniqueness Score: -1.00%

Function 05ED214E Relevance: 1.6, APIs: 1, Instructions: 130
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05ED2249

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a0e6f6500d24f02952be6724ed9a5e5405d08dc17254d29baf5bbb7a649b11a2
Instruction ID: 6abf051d4ece7579232a6b88c49ec9061aa0f654754fa5adbe58fdf15305d32e
Opcode Fuzzy Hash: a0e6f6500d24f02952be6724ed9a5e5405d08dc17254d29baf5bbb7a649b11a2
Instruction Fuzzy Hash: 05417C751093806FE7238B618C50FA2BFB8EF16614F0985DAE9C5CB563D264E809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0CC7 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44929a21e6a33c96c6e17a4136da4a7a5765e63a92fca750fa8f0ec7b8be97b
Instruction ID: 827d75a020d0f62e14510f194628b331798845d341a98ca8e550ea2b1bbdcfca
Opcode Fuzzy Hash: e44929a21e6a33c96c6e17a4136da4a7a5765e63a92fca750fa8f0ec7b8be97b
Instruction Fuzzy Hash: 464190724093C05FE7238B259C45B96BFB4EF07224F0989DBE9858B1A3D265A90DC772

Uniqueness

Uniqueness Score: -1.00%

Function 0174B126 Relevance: 1.6, APIs: 1, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0174B1F5

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ec091ca0f807654646f9fe2c961916b1494847ea3104e6eb102ae8e10b9eae03
Instruction ID: 29cf53a7a83a77f56cea7241bc2f7d86aa9f2c7318f5da468e85a762df22a097
Opcode Fuzzy Hash: ec091ca0f807654646f9fe2c961916b1494847ea3104e6eb102ae8e10b9eae03
Instruction Fuzzy Hash: 383182715093806FE7238B658C54BA6BFB8EF17210F0884DBE980CB563D224E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05ED063F Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05ED0706

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d90fa0c2480f53ffdb4738b8c278bdcd9df0fa4f00ce55428b84f52ed4da5c85
Instruction ID: f483d5894bca4e4e57ef680c24b1a1725997462483032e13630114b0299a006c
Opcode Fuzzy Hash: d90fa0c2480f53ffdb4738b8c278bdcd9df0fa4f00ce55428b84f52ed4da5c85
Instruction Fuzzy Hash: F9318D6110E3C06FD3138B218C65A61BFB4EF87610F0E85CBD8C48F6A3D259A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05ED13DC Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05ED14A3

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: a617bcc49a0d2c11c110bd809198978a531b8cc57d7de1db0b809702b7b2451b
Instruction ID: 2fb7af3eb2791a4cf4116c8cc4c89b136587884a6597e1d396692ff98beb0b24
Opcode Fuzzy Hash: a617bcc49a0d2c11c110bd809198978a531b8cc57d7de1db0b809702b7b2451b
Instruction Fuzzy Hash: 0331C2B1104344AFE721CB61DC44FA6FBACEF14714F04889AFA489B692D374E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05ED12D4 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED1371

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 0a93a787f88b8938ec97fd9dbf55a0e8d158852eb7184f958b2407fafb71aef0
Instruction ID: c0661a166974b9c64715c68d7b670a77c16feb46e2f5fbfc3985f2788913f48a
Opcode Fuzzy Hash: 0a93a787f88b8938ec97fd9dbf55a0e8d158852eb7184f958b2407fafb71aef0
Instruction Fuzzy Hash: 5031E8715097806FE7228F21DC44FA6BFB8EF16324F0884DBE8848F552D325A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 0174AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0174AB25

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8e88dbf45eb4a26755dda61462eecf8292c1a2dd56f4b99321c278273bf04f5f
Instruction ID: c1fadf8dc1a300a0b707dd036445da07e72bb2ff54a662d161923f61c174705f
Opcode Fuzzy Hash: 8e88dbf45eb4a26755dda61462eecf8292c1a2dd56f4b99321c278273bf04f5f
Instruction Fuzzy Hash: B8314D71509340AFE722CF65CC85F56BBF8EF06614F08889AE9858B652D365E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0BD0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05ED0C67

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 5afde0d2bd9ab99d0d65534c995289d25395965b4feabb841e8b6300b8a178c3
Instruction ID: 9a81790643b23c2443a77ea40d776b9e529592f29b2764b11f3d1ab6976dffd1
Opcode Fuzzy Hash: 5afde0d2bd9ab99d0d65534c995289d25395965b4feabb841e8b6300b8a178c3
Instruction Fuzzy Hash: 6131C372504384AFE721CB65DC44FA7BFF8EF05214F0884AAE985CB652D364E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0174B01D

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 791610670491cf5f8785277c4594035d84cc25bec4202fbe85542d1d6b0c9601
Instruction ID: 5a2e384f205490825324e4e74dfbb427c0c1e0d5e9ff9b8f6946466ff94f812a
Opcode Fuzzy Hash: 791610670491cf5f8785277c4594035d84cc25bec4202fbe85542d1d6b0c9601
Instruction Fuzzy Hash: 3D3161715093806FE722CB65DC45B96FFF8EF06214F08849AE985CB292D375E909C772

Uniqueness

Uniqueness Score: -1.00%

Function 0174B23D Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174B2F8

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dbe8b53cf9ef4f20ac615c80286cdd1d534484412ef8b5e143e80078b4064a6d
Instruction ID: 04156079034af0bb881ca45cb951bd676bb4e455bfbb39b56034797f298183d4
Opcode Fuzzy Hash: dbe8b53cf9ef4f20ac615c80286cdd1d534484412ef8b5e143e80078b4064a6d
Instruction Fuzzy Hash: 2331AD751093846FE722CF25CC45FA6BFB8EF06624F08849AE985CB253D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05ED21AE Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05ED2249

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 441d51e9a6d8f9eb85583f5d7d6f971543d6ea5ac62a7b59e614d00fa8275265
Instruction ID: 7e6c088fdc94c43efca607444074ac0e19c941bf2d51758db57d92d433af33e5
Opcode Fuzzy Hash: 441d51e9a6d8f9eb85583f5d7d6f971543d6ea5ac62a7b59e614d00fa8275265
Instruction Fuzzy Hash: 1F21A076600204AFEB31DE55CC44FA7FBECFF28614F04855AFA85CA651E760E5098A71

Uniqueness

Uniqueness Score: -1.00%

Function 0174A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0174A77E

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 6affb1d1c14ccdb74681eae8fecad7be7dd6a4eb7d2b7642d313f73cb9d4126a
Instruction ID: 9d78a3afc77e004abfb5a802f44d556e28f7ffdcf711c62f2c940d292bce4fb5
Opcode Fuzzy Hash: 6affb1d1c14ccdb74681eae8fecad7be7dd6a4eb7d2b7642d313f73cb9d4126a
Instruction Fuzzy Hash: AE316F7114E3C06FD3138B259C61B61BFB4EF87610F0A80CBD884CB5A3D2656919D772

Uniqueness

Uniqueness Score: -1.00%

Function 05ED13FE Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05ED14A3

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 09c9a48eb590a7c5c8edde3a92dc2caaeea390632b1f317d3dcf55b62f7531d2
Instruction ID: d29bc4384b10b88c56ff093b97c5174ed262a900ea74144510c3850db8017ec1
Opcode Fuzzy Hash: 09c9a48eb590a7c5c8edde3a92dc2caaeea390632b1f317d3dcf55b62f7531d2
Instruction Fuzzy Hash: 3421BF71100204AFEB31DB60DC85FBAF7ACEF14718F04885AFA489A681D7B4E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B42C Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0174B4D5

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 3629c9d9c5f1480276e7d8330a593258f1bde5cd1164a21d6c41e1c01095be14
Instruction ID: 4000512fc7861e3e440b5be6bdb769e0495bb77897679e6da54dceb1aaca996b
Opcode Fuzzy Hash: 3629c9d9c5f1480276e7d8330a593258f1bde5cd1164a21d6c41e1c01095be14
Instruction Fuzzy Hash: B421D271504380AFEB228F61DC44FA2FFB8EF46310F08849AEA858B562D375E509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05ED2421 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05ED24B0

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 43159ae7c92540c80740143ce7a99b4999f0775128982b47ac652e87c8256591
Instruction ID: e6232afa51bdd98310f8174c0eba2c29f948b0cd9365635a7280aeffc4e9fd28
Opcode Fuzzy Hash: 43159ae7c92540c80740143ce7a99b4999f0775128982b47ac652e87c8256591
Instruction Fuzzy Hash: 122148755083849FEB22CF25DC44AA2BFF8FF06214F08849AED85CB162D265A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05ED27F9 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED2880

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 388662035e6f9af55bce3fbc6a79c00bb8e5d234dd34a94be9dc3c1c4c47b489
Instruction ID: 14dc520419ed2cf2c482720d09b7309a6378d97b75b252ca0ccc0b3926aa346a
Opcode Fuzzy Hash: 388662035e6f9af55bce3fbc6a79c00bb8e5d234dd34a94be9dc3c1c4c47b489
Instruction Fuzzy Hash: BF21C1755093806FE712CB25CC44FA6BFB8EF02314F0884DBE984CF192D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0732 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05ED07BE

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 79c3959260dcbc4f202910e69052155a969377baf618d871d503eb77ccba6d75
Instruction ID: 4d2d4b1338257332d5ea549b9213256eec59d64cfae7b79eedd4edcd5323cf27
Opcode Fuzzy Hash: 79c3959260dcbc4f202910e69052155a969377baf618d871d503eb77ccba6d75
Instruction Fuzzy Hash: 43218D71505380AFE721CF51CC45F96FFB8EF05224F08889EE9858B652D375A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0174B34E Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174B3E4

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: fa6a7e7267f5025420509af30ed19d101adcb38094f6645b496317ece7bcd64b
Instruction ID: 6f5664192350f9346f9e71874927d3e46eb82c3ff4ff26f222f0ea5229a7c00d
Opcode Fuzzy Hash: fa6a7e7267f5025420509af30ed19d101adcb38094f6645b496317ece7bcd64b
Instruction Fuzzy Hash: 482190725093806FE7228F55DC44FA7FFB8EF56610F08849AE9859B292D364E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0BF6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05ED0C67

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: a6240d3a08270d1028a629ad5d001acec463b350388b8657b5dce1efeda24d59
Instruction ID: e04c5a67383d688e5c017b9eab08aa272744b9a97afe0234f2b01d9d47a8e8d8
Opcode Fuzzy Hash: a6240d3a08270d1028a629ad5d001acec463b350388b8657b5dce1efeda24d59
Instruction Fuzzy Hash: 8321A772600204AFE720DF65DC45FAAFBECEF14714F08846AED45CB651E774E5098A71

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0ADE Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED0B7C

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9c613be849cf07c3bd1bd4f62fed54cd428356b4366db0798305723a0b4e8e01
Instruction ID: f2cfbbdd65a8c75345a026f2cd3b1c51d7ba2e857477a32567f4bdeb317ddea6
Opcode Fuzzy Hash: 9c613be849cf07c3bd1bd4f62fed54cd428356b4366db0798305723a0b4e8e01
Instruction Fuzzy Hash: E0219F72509380AFE721CF11CC48F66FBF8AF45714F08849AE9859B292D365E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0174AB25

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58cadc704f7fca9484be1c95a394cf5e95835e00a89c3c3340582f4de0740286
Instruction ID: e2f27747d1664b4f44fa04561d805e68f6f546ff43f3465c09347c84bd43a548
Opcode Fuzzy Hash: 58cadc704f7fca9484be1c95a394cf5e95835e00a89c3c3340582f4de0740286
Instruction Fuzzy Hash: D6219271600200AFEB21DF65CC45F66FBE9EF18724F04886DE9468B651D375E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B176 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0174B1F5

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bd117d1dfb7f8de8e69b6d8fdbf4c4911bbb92aa7d2897f175ed1c2a062394ea
Instruction ID: 9b7cab67268e5d2a2eb51382244e01882ef74cd7660377bdff8006d1259d290c
Opcode Fuzzy Hash: bd117d1dfb7f8de8e69b6d8fdbf4c4911bbb92aa7d2897f175ed1c2a062394ea
Instruction Fuzzy Hash: C621A172500204AFE7319F55DC45FABFBECEF28724F04845AEA45CB652D774E9088A72

Uniqueness

Uniqueness Score: -1.00%

Function 05ED28E3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED295F

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b2e2113bc64a3e4c98af9db6668ab369a6be9b237c72225b5540dd616747834f
Instruction ID: 12f51f03c300b453c5f5be1126226d6d285f2c3a5fb7b61bd0c076ce1be31db6
Opcode Fuzzy Hash: b2e2113bc64a3e4c98af9db6668ab369a6be9b237c72225b5540dd616747834f
Instruction Fuzzy Hash: 9B2195715053846FD721CB65DC44FA6BFB8EF45214F08849AE945DB152D374E508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05ED29C7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED2A43

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b2e2113bc64a3e4c98af9db6668ab369a6be9b237c72225b5540dd616747834f
Instruction ID: 61ec9ee6a1fa9fda0594001344d63bb24672036cc52e751f75c26f790cfb2353
Opcode Fuzzy Hash: b2e2113bc64a3e4c98af9db6668ab369a6be9b237c72225b5540dd616747834f
Instruction Fuzzy Hash: 1F21C2715093846FE721CB21CC44FA6FFA8EF46214F0884AAE945DF152D374E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174ADCE Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174AE4D

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 442b0182573b742e05457d5aaff2084b24142f14cc0d66dfc36953484d81731d
Instruction ID: bad7731a7145c78f313dccf8ecba034fa06f7bd4410541ad9f2c2f53850bf395
Opcode Fuzzy Hash: 442b0182573b742e05457d5aaff2084b24142f14cc0d66dfc36953484d81731d
Instruction Fuzzy Hash: 2821CF72505340AFEB228F51DC44FA7BBACEF45720F04849AE9458B252C375A908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0174AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174ACBD

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 83282935930d724a6e5c8d67831ab759ab20677947e585e212f9164085c5db50
Instruction ID: cc93cea929aaac10d73bd790480c99683650a6d726af50b445552201d0db9277
Opcode Fuzzy Hash: 83282935930d724a6e5c8d67831ab759ab20677947e585e212f9164085c5db50
Instruction Fuzzy Hash: 4821D5B54093806FE7128B15DC40BA2BFB8EF57714F0880DBE9858F293D364A909D775

Uniqueness

Uniqueness Score: -1.00%

Function 0174A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0174AA44

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 81be41b71913c95b1879e51186623538f823900154115c1228c2ed0e35ce53ed
Instruction ID: 1824b443e2d7d46fa636db2e4139e38f07cc6c86028eff6498c440a6efbbf7f5
Opcode Fuzzy Hash: 81be41b71913c95b1879e51186623538f823900154115c1228c2ed0e35ce53ed
Instruction Fuzzy Hash: 6921666554E3C0AFD7138B258C60A51BFB4AF43620F0A80DBD8858F5A3C2689908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05ED101D Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED10A0

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: f33320d0c0147e3f3f7e7e1d1c1ab736c1206a0235fb6ba2bdce1626617669de
Instruction ID: 4281a10ddb7b50fe3f2582fa27cf766bc24b98931635c7011b670ed0cd7a0ac7
Opcode Fuzzy Hash: f33320d0c0147e3f3f7e7e1d1c1ab736c1206a0235fb6ba2bdce1626617669de
Instruction Fuzzy Hash: CF2183B1509384AFD7228B51CC44F56FFB8EF46214F0884DAE9849F152C369A549CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0174B7CF Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0174B84E

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: b8d4286ea1f2f4bae0d16551065b03cfad287411ee5253d2e6f4ab86d28190df
Instruction ID: 8658677df1928ef35ecd2ae6c57ada6bccf313a698ddd4ca09202b94b6e45e9b
Opcode Fuzzy Hash: b8d4286ea1f2f4bae0d16551065b03cfad287411ee5253d2e6f4ab86d28190df
Instruction Fuzzy Hash: 792160B15493809FEB11CF25DC45B52BFE8EF06214F0984EAE985CB163D365E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0174B01D

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ac3210e734d5f3ef669f4a5ce9820a0a7b380f16fc27a36e8758afb71683e41b
Instruction ID: ad38fb59dc5db378914c96da89a394eccd0b93fc85df4ea4437bf8655c32d25d
Opcode Fuzzy Hash: ac3210e734d5f3ef669f4a5ce9820a0a7b380f16fc27a36e8758afb71683e41b
Instruction Fuzzy Hash: EE21B0716012009FE720DF25DC45BA6FBE8EF14624F04846AED458B351D775E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 05ED235B Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED23D7

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 53f736d0d68120d04785b1cf26e877848f65fb3671b90099a9cff3c09f2a1613
Instruction ID: c76c9d44d083ad46760a640b579a97e2e066f15d0aa6ba7a205457e6cff111f6
Opcode Fuzzy Hash: 53f736d0d68120d04785b1cf26e877848f65fb3671b90099a9cff3c09f2a1613
Instruction Fuzzy Hash: B321A1715093846FE722CF51DC44FA6FFB8EF46214F0884AAE9859B192C374A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0174B27E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174B2F8

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b9e25498abb10913314bea636f55322a46628323fac01c7d8326539c21bb76ce
Instruction ID: 8f97ab479b7f085ae8dad351c128d3cac73a70c775d540ac341619397e96caae
Opcode Fuzzy Hash: b9e25498abb10913314bea636f55322a46628323fac01c7d8326539c21bb76ce
Instruction Fuzzy Hash: 01218C76600204AFEB21CE16DC85FAAFBECEF14724F08856AED458B651D774E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0174A140 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0174A1C1

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 94c7bca2e7b690602a1fa49c9180e5f956149ceb5d3b2b1de800f64f0af1ad7a
Instruction ID: d1b5bed721a30b570bf3f91f7db553dc6e0996aaf842b7328b290f58c394f10c
Opcode Fuzzy Hash: 94c7bca2e7b690602a1fa49c9180e5f956149ceb5d3b2b1de800f64f0af1ad7a
Instruction Fuzzy Hash: 7721AC7140D3C09FD7238B65CC54A52BFB4EF07220F0A84DBD9858F1A3C279A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05ED15AE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05ED162A

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 982d991e4ba48267666bdc4f7283a1bc307020637a535b2849b2b964e1893c27
Instruction ID: b93e32c724f3cc772199b882f6ed50b46241193e2838ec83d099e1856b2be0e5
Opcode Fuzzy Hash: 982d991e4ba48267666bdc4f7283a1bc307020637a535b2849b2b964e1893c27
Instruction Fuzzy Hash: 5D218E75508380AFDB228F65DC44B62FFF8EF06310F0885DAED858B162D376A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0DA6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05ED0E1A

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7d0d3dd1fa0e96c3530445d09a4ba4903931bc8bd3ea4f9144a90ff268edbbcc
Instruction ID: 6481ebb0b434ec79c0decac6a22c51dd21712400c5c24ead3138257334b73110
Opcode Fuzzy Hash: 7d0d3dd1fa0e96c3530445d09a4ba4903931bc8bd3ea4f9144a90ff268edbbcc
Instruction Fuzzy Hash: 6721F371500204AFEB21CF55CC49FA6FBE8EF18724F04885DE9858B641E375E509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0752 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05ED07BE

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 03f8d72c992f91a3825bd715d9bfb705404654f80b996444a1dfd1dfbb4bd5d1
Instruction ID: 9c16e61dae698f480aecd4fc9dff3f7ea2a09ce03467040c75f2fd70d14de812
Opcode Fuzzy Hash: 03f8d72c992f91a3825bd715d9bfb705404654f80b996444a1dfd1dfbb4bd5d1
Instruction Fuzzy Hash: CE21D172500200AFEB21DF55CC45FA6FBE8EF15324F08886EE9858A651D375E509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05ED186A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05ED18F3

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e09147db3481d3cac541f86a8c0f97b115b246043489349cded0614ee342b3c8
Instruction ID: 599a7a0e98e54ce712e2f3bbac1a85dab550c2ad5bb10defcf813bc3bb4d8e72
Opcode Fuzzy Hash: e09147db3481d3cac541f86a8c0f97b115b246043489349cded0614ee342b3c8
Instruction Fuzzy Hash: CF11B4715053406FE721CB15DC85FA6FBB8EF45724F08809AFD849B692D2A4A948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0174B45A Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0174B4D5

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: b643898c2e1fca49738fbacb9b2dd9ae04ac6fd8c4b6c93c633dc397b2431521
Instruction ID: 2c8c08226cf33c7a38fa40da376b6223b6de3337df48c8dcc02ec443ae990d88
Opcode Fuzzy Hash: b643898c2e1fca49738fbacb9b2dd9ae04ac6fd8c4b6c93c633dc397b2431521
Instruction Fuzzy Hash: 6221E171500200AFEB319F55DC41FA6FBA8EF14724F14849EEE458B691D375E918CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05ED0B0A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED0B7C

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0be6b1e63787534ed98876a261085dea11d4d7feab40102f12fe25ae55fc5da9
Instruction ID: ae8e11dbe951cebac069df171ea56997af6057e975b76ac0dbe5114bc84032ca
Opcode Fuzzy Hash: 0be6b1e63787534ed98876a261085dea11d4d7feab40102f12fe25ae55fc5da9
Instruction Fuzzy Hash: BD11B472504200AFE731CF15CC88FA6F7EDEF14728F08849AE9858B651E370E509CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B372 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174B3E4

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 597e866b0c72e9f0f171162ae45c187aebd82ad0c0ed118f48edd346b616d852
Instruction ID: ae4ef59c4ba03b743c5c2527d90e96e61566516b0835aa8e3c1ab646d51c18a4
Opcode Fuzzy Hash: 597e866b0c72e9f0f171162ae45c187aebd82ad0c0ed118f48edd346b616d852
Instruction Fuzzy Hash: 70118172600200AFEB318E56DC45FA6FBECEF54714F04855AED459B652D374E9088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0174B94F Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0174B9BF

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: eb08e47ba7f9885a10e2eadb607a5919a4f75045d7237e5dc677f370139bf9f6
Instruction ID: 444ab967c474d8eb4120bb91b0267138182072aaeb98371bcd5156ea66fc6af6
Opcode Fuzzy Hash: eb08e47ba7f9885a10e2eadb607a5919a4f75045d7237e5dc677f370139bf9f6
Instruction Fuzzy Hash: 1A21A1755093809FD7128B29CC85B52BFE8EF06220F0984DAD985CF263D274E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05ED1312 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED1371

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 4bb51391a908e10f9616f160373bdb837e22d0ddb4a8b8f98b14e674dede37cc
Instruction ID: 5cd5e1d4ee6956286dc238a4f88a99cd77b2a20ce15cdf12ffbcdc4900c48511
Opcode Fuzzy Hash: 4bb51391a908e10f9616f160373bdb837e22d0ddb4a8b8f98b14e674dede37cc
Instruction Fuzzy Hash: 1211E272600200AFEB21CF55DC45FAAFBE8EF14724F04846AED458BA51D375E409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0174AB7C Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0174ABF0

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ddaa71ba622a19b1a8a1fee3cd5084a4f2d171c4894385fcdd42c49502026cb1
Instruction ID: b4deae1c240991cf02c224538ba458a8250d2d13d5254444b80b2696e348c2be
Opcode Fuzzy Hash: ddaa71ba622a19b1a8a1fee3cd5084a4f2d171c4894385fcdd42c49502026cb1
Instruction Fuzzy Hash: 7F21D5755087C09FD7128B29DC55752BFB8EF02320F0984DBDC858B563D335A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 0174A61E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0174A690

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a7c1206f37fff5c414de270f2737fb041adba65cdffbd277df0bff46a4babfb0
Instruction ID: db34cefe79e5e33f6a5aab8d54257d5715a195ffc07e46a473530d75a16b771a
Opcode Fuzzy Hash: a7c1206f37fff5c414de270f2737fb041adba65cdffbd277df0bff46a4babfb0
Instruction Fuzzy Hash: 3E214A715093C45FDB128B25DC94B52BFB4EF47220F0984DBDD859F1A3D2659908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05ED29EA Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED2A43

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5955f6a037c60aa2c19cdae8405bc949d6b9b0f1ad79df287d75d96c09fe5d3f
Instruction ID: 9287919d937f573cfd7a4a54381b2562dd03dc8251c7de01b321716c6b9ee1e8
Opcode Fuzzy Hash: 5955f6a037c60aa2c19cdae8405bc949d6b9b0f1ad79df287d75d96c09fe5d3f
Instruction Fuzzy Hash: 9111EF75600200AFEB20CF65CC45BAAFBA8EF15324F04C46AEE45CF641D375E9098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05ED2906 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED295F

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5955f6a037c60aa2c19cdae8405bc949d6b9b0f1ad79df287d75d96c09fe5d3f
Instruction ID: ad7abbb99b2dfaf3c1d64527a8fa66791aba71382493cbd851dd011e0975b699
Opcode Fuzzy Hash: 5955f6a037c60aa2c19cdae8405bc949d6b9b0f1ad79df287d75d96c09fe5d3f
Instruction Fuzzy Hash: D011C475600200AFEB20CF65DC45FA6F7A8EF55724F08846AEE45CB641D374E5098AB2

Uniqueness

Uniqueness Score: -1.00%

Function 05ED282A Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED2880

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: f71c2acaaaf04db17209ccead84a2f63ada95a14a8db621392d6319ad8f691ae
Instruction ID: 7f4dfddbbb75731a20072ad8f2e7a44c7e7705a3850d2f8f5ffa657ea3752b37
Opcode Fuzzy Hash: f71c2acaaaf04db17209ccead84a2f63ada95a14a8db621392d6319ad8f691ae
Instruction Fuzzy Hash: 1311E375600200AFEB20CF55DC85FAAF7ACEF15724F0484AAEE45CB641D375E5098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0174A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174A5DE

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 49510292c8f5d792e8231965cc97bf73f19563dbb185bee1488afd94289010d7
Instruction ID: 12f26ce7ad11f45adaa8bc2005f1ffaa0fdf6cc6fdb4d9b2a7990b03ba3de0cb
Opcode Fuzzy Hash: 49510292c8f5d792e8231965cc97bf73f19563dbb185bee1488afd94289010d7
Instruction Fuzzy Hash: C2117271549380AFDB228F55DC44A62FFF4EF4A310F0888DEED858B562C375A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0174ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174AE4D

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 23b72b7bb63767d83a834607899fdc24ebfd8d841a723e9d500582aca7dbfc0b
Instruction ID: 9d0a733a5ee2e14004015e85198f35bddc43807c8b431f1966be8d012952b630
Opcode Fuzzy Hash: 23b72b7bb63767d83a834607899fdc24ebfd8d841a723e9d500582aca7dbfc0b
Instruction Fuzzy Hash: 2711BF72500200AFEB31CF55DC45FA6FBA8EF19724F0484AAEA468B651C375E5088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0174B8A9 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0174B908

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 427d2937f0be2e2b959a90ebe95c7591198e369798b29ce08d06996570f5c154
Instruction ID: 96be5a5488fb70f42ef5f1b509dcb8f96a12470bef643ecf181e46cea88a6ee7
Opcode Fuzzy Hash: 427d2937f0be2e2b959a90ebe95c7591198e369798b29ce08d06996570f5c154
Instruction Fuzzy Hash: 721160756093809FDB11CB29DC85B52BFE8EF46220F0984AAED85CB252D275E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05ED237E Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED23D7

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: da38bf0d7cc534c29b2e8090f1970e9c58c57fa7ffcd6043fb0af53588ba9b9e
Instruction ID: 5d8b271ec4a3b9adcbd434acff567a276f986d980ae6fd8e52a3a20d2f436699
Opcode Fuzzy Hash: da38bf0d7cc534c29b2e8090f1970e9c58c57fa7ffcd6043fb0af53588ba9b9e
Instruction Fuzzy Hash: 8611E075500200AFEB21CF51DC44FA6FBA8EF14728F04C4AAEE859B641D374E5098AB6

Uniqueness

Uniqueness Score: -1.00%

Function 05ED104A Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 05ED10A0

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 487736564817a27c2e557093174e97c3f02fafdf7b746e35d37a4916a9adf6f9
Instruction ID: bd69c7fdcc3f6c6b94aaee8381207cb2601f9874932e3aa0d39bda1e8daa6967
Opcode Fuzzy Hash: 487736564817a27c2e557093174e97c3f02fafdf7b746e35d37a4916a9adf6f9
Instruction Fuzzy Hash: 3B110271500244AFEB20DF51DC84FAAFBA8EF14728F04C4AAED448F641D374E509CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05ED188A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05ED18F3

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5d8104bc90183aa4069b6762ac26d085ebc43ad6defee75ac6baa5d14636f22c
Instruction ID: d555351cbce3fbc40b3df3edb266e8f2aacdbdf84de495137701abccc70135bb
Opcode Fuzzy Hash: 5d8104bc90183aa4069b6762ac26d085ebc43ad6defee75ac6baa5d14636f22c
Instruction Fuzzy Hash: 5111E571600200AFE720DB15DD41FB6F7A8DF15728F148099FD449A781D3B5E549CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05ED245A Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 05ED24B0

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: c688f5cc7810d6eee56f44a3182f6d26f9d461d8b85ec4934aafd9d02889713f
Instruction ID: 28e497d61cd590c1fb337c950298bafcc76fcc6e38346d157eb096b58d207b2c
Opcode Fuzzy Hash: c688f5cc7810d6eee56f44a3182f6d26f9d461d8b85ec4934aafd9d02889713f
Instruction Fuzzy Hash: 3E115B796042009FEB20CF55D884BA6FBE8FF04624F0884AADE898B651D375E409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0174B806 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0174B84E

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d08ef2964adaefdf790adadbb4d777cb99ff3024cfda1ed883830ae37fc30229
Instruction ID: dc08c674de2cee2dcdecc7e4f54b2b67b0b2b29ad01c684be1a2349e8e550f6f
Opcode Fuzzy Hash: d08ef2964adaefdf790adadbb4d777cb99ff3024cfda1ed883830ae37fc30229
Instruction Fuzzy Hash: 9D115E716402049FEB10CF6AD885B56FBECEF15624F08C4AADD49CB652D375E808CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0174AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,74469BA2,00000000,00000000,00000000,00000000), ref: 0174ACBD

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0f054abce7dfc66c20cb115cc7c990133dff883c03b99bbb48d6378c00a51b1a
Instruction ID: 7f1510f1a90b183a664a3a9ecd1604c3006449b2a1ca27bf914593132b76c9a7
Opcode Fuzzy Hash: 0f054abce7dfc66c20cb115cc7c990133dff883c03b99bbb48d6378c00a51b1a
Instruction Fuzzy Hash: D101D271541200AFE760CB05DC85BA6F7ACDF25724F04C09AEE059B781D374E5088AB6

Uniqueness

Uniqueness Score: -1.00%

Function 05ED15DE Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05ED162A

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 081674beb05546420207ac4a10a6222126ea17c5cfe8438e755148118fa4b01e
Instruction ID: 1f137309e9976c7a29cb134bda3719efe8a81fdd56f19a8e06eea47115143b83
Opcode Fuzzy Hash: 081674beb05546420207ac4a10a6222126ea17c5cfe8438e755148118fa4b01e
Instruction Fuzzy Hash: 0611A0715002009FEB20CF55D884B62FBE4FF04314F0884AADE898B612D372E419CF72

Uniqueness

Uniqueness Score: -1.00%

Function 0174B982 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0174B9BF

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 11be6d611dd2e6b2ed8bbad5df41694f4bb2489c14de0cb5fea32ca6707b8673
Instruction ID: 53d86d384c2f3d1f7dd387781aa85fc4030b270969febb3ba70296ab9f7ecc94
Opcode Fuzzy Hash: 11be6d611dd2e6b2ed8bbad5df41694f4bb2489c14de0cb5fea32ca6707b8673
Instruction Fuzzy Hash: 49018C75604240DFEB10CF2AD885766FBE8EF05324F0884AADD49CB752D375E804CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0174B8CE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0174B908

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8f6740c885c079d4da77a2b0b3206533dd5b7eb417996c29628bd8bc8c494831
Instruction ID: 2d15bb8e9a05e1e9b71cbfd8bc19b3f05acab46f777e9e2a5a4d9f28f78bf764
Opcode Fuzzy Hash: 8f6740c885c079d4da77a2b0b3206533dd5b7eb417996c29628bd8bc8c494831
Instruction Fuzzy Hash: 5F015E75A042449FEB10CF2AD885766FBE8EF15624F0884AADD49CB742D375E904CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0174A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174A5DE

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 203beb830eae00ccba4f07ba748750399cd5530dbb95a65cace5f6315dfd81d0
Instruction ID: ddc4084dde6784d4eba39b66ab401badb16dba8f33038d8a1493f1b68401ee1b
Opcode Fuzzy Hash: 203beb830eae00ccba4f07ba748750399cd5530dbb95a65cace5f6315dfd81d0
Instruction Fuzzy Hash: C1016D725006009FDB218F55D944B52FFE4EF49724F08C9AEEE4A4B652C376E418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05ED06B6 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05ED0706

Memory Dump Source

Source File: 00000002.00000002.4433238365.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5ed0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f2ad548fd262a739ae26c2ee43fa938ca4d2326a56a0c38456ac223b5a5e2691
Instruction ID: 94861ca45676894549d0b2b15ee730713a79a096b9d8f27eac5a20014fd1165e
Opcode Fuzzy Hash: f2ad548fd262a739ae26c2ee43fa938ca4d2326a56a0c38456ac223b5a5e2691
Instruction Fuzzy Hash: 5D01D671600200ABD310DF16CC46B66FBE8FB88B20F14815AED089BB41D771F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0174ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0174ABF0

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8e50e5b8bd254cf80d1415fbd8c41190c463582e4b16821c02baa6a0f495e0b3
Instruction ID: b98664942e416538114bbb0d184ee2d234a90a80f4f85886610f2774c9235812
Opcode Fuzzy Hash: 8e50e5b8bd254cf80d1415fbd8c41190c463582e4b16821c02baa6a0f495e0b3
Instruction Fuzzy Hash: 63018F71A042449FDB50CF5AE885766FBE8EF05324F08C4AADD4A8F652D375E408CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0174A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0174A77E

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b5899c7ec7b307b8721be95941e2b7168f44ee802e205a156c73a69a7b935baf
Instruction ID: 4ccdd588f64af526e5c4069a2bcf312aedfbb55693f5e29835704cdd8d93ef62
Opcode Fuzzy Hash: b5899c7ec7b307b8721be95941e2b7168f44ee802e205a156c73a69a7b935baf
Instruction Fuzzy Hash: 0801D671600200ABD310DF16CC46B66FBE8FB88A20F148159ED089BB41D771F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0174A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0174A1C1

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: d5d1ee87b686cde1ebb455b35d84c25c1f9c66b8bd3000e351993cab96214cb1
Instruction ID: 1d8633a64db07faf24d58f9ab6c8138dec9333bf79a4dab3374e653104e2a007
Opcode Fuzzy Hash: d5d1ee87b686cde1ebb455b35d84c25c1f9c66b8bd3000e351993cab96214cb1
Instruction Fuzzy Hash: 84019E315042409FDB20CF59D844B62FBF4EF15324F08C4AADE4A4B612C375E418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174A65E Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0174A690

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: fc8bfb53fdcbc62afa706c1547df30c9bb23a1675ab2aad140cb17e42b3c01f4
Instruction ID: e91fdb316ee2daa7711263644ee486f0cdee7cba5d6edaad8e6fad1e7856642a
Opcode Fuzzy Hash: fc8bfb53fdcbc62afa706c1547df30c9bb23a1675ab2aad140cb17e42b3c01f4
Instruction Fuzzy Hash: D401AD71A042409FDB10CF5AD885766FBE4EF45324F08C4AADD4A8F252D379E408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0174AA44

Memory Dump Source

Source File: 00000002.00000002.4425385987.000000000174A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_174a000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 28178f7171a34b43be0a520d141879e3336245e39948a9e18610516938b17dd9
Instruction ID: 66335fe755d3a5bb7fc32910a2714bcf8942ce25e3a56081e2c513a231bc7c65
Opcode Fuzzy Hash: 28178f7171a34b43be0a520d141879e3336245e39948a9e18610516938b17dd9
Instruction Fuzzy Hash: 59F0AF75A402409FDB208F0AD985B65FBE4EF05724F08C0EADD4A4B752D379E608CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 019607DC Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425603630.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1960000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6822aa5cbd6a4feff74e540d9514b6fae37c20722a3041304a2d5d0e3407db5e
Instruction ID: 450d846bbeba3f997dcf765ac598312c1b92b22aeecc63720b7183f43976ee6e
Opcode Fuzzy Hash: 6822aa5cbd6a4feff74e540d9514b6fae37c20722a3041304a2d5d0e3407db5e
Instruction Fuzzy Hash: 6E21623450D7C19FC713CB24C890B55BFB1AF46218F1D89EED4898B6A3C33A8846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05F21F4C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4433320536.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5f20000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecf047aadbda216f4c89b49146576495bb92c350ca322919174bb00b49c4ff9
Instruction ID: befdc42fce1894123959fb172100664d32e0813fe119113945e3d4a96cbbdcb8
Opcode Fuzzy Hash: 4ecf047aadbda216f4c89b49146576495bb92c350ca322919174bb00b49c4ff9
Instruction Fuzzy Hash: 2311BAB5A08341AFD340CF19D841A5BFBE4FB98664F04895EF998D7311D235E914CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01960814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425603630.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1960000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e823b77496ccb3f717bcd0a12a60523a9148bc9b64353c00249c0a47d4408cc
Instruction ID: 11ae36d10add7900e0792c5954b6c83846abd65f2a08605edb501be226edd530
Opcode Fuzzy Hash: 8e823b77496ccb3f717bcd0a12a60523a9148bc9b64353c00249c0a47d4408cc
Instruction Fuzzy Hash: F611E430204280DFD711CB14D580F15BBA9AB99708F28C9ACF94D0BB43C77BD812CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05F21DF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4433320536.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5f20000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5489788de02e4a8b99939759b7d0420a74a5a84096b0332ae6a77b2910a1605f
Instruction ID: 532757698c420e7a9c710cbb3b442a4679c1a301cf657cc19343bc87bdd0c755
Opcode Fuzzy Hash: 5489788de02e4a8b99939759b7d0420a74a5a84096b0332ae6a77b2910a1605f
Instruction Fuzzy Hash: C511FEB5608301AFD750CF09DC41E57FBE8EB88660F04891EF95997311D271E908CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0175B0B4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425423395.000000000175A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_175a000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b6bf4fbefe78744b1e2d6e48af9c9859fd1a8a1ec920c5c11b97b6f4453af5
Instruction ID: f96f2f07f871d54d41e0d7d7631c275562002cda0500b1889c77dcf77bd0ae97
Opcode Fuzzy Hash: 39b6bf4fbefe78744b1e2d6e48af9c9859fd1a8a1ec920c5c11b97b6f4453af5
Instruction Fuzzy Hash: 5411FAB5A08301AFD350CF09DC41E5BFBE8EB98660F04891EF99997311D271E908CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 019605DF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425603630.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1960000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8eb95b414f277dafeddc2ed16b20c6b00dd2f0f2e558da64b5dafa59a37049
Instruction ID: 48d6460afb936dd24f1f5cefa1ba80c14211ad6f1d34864f56542070aaa2ad01
Opcode Fuzzy Hash: 6c8eb95b414f277dafeddc2ed16b20c6b00dd2f0f2e558da64b5dafa59a37049
Instruction Fuzzy Hash: 2E01A77650D7805FD7128B169C41862FFA8DF86620709C49FEC898BA52D125AC09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 019608D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425603630.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1960000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c088c5f4422919bb187d7e2321f3437007d1721d3ee5741c69d1989cd7885274
Instruction ID: c57e25b3e79a8745de6540a870fd15a71d378ff8bc9000e3ccb416cae5a3732d
Opcode Fuzzy Hash: c088c5f4422919bb187d7e2321f3437007d1721d3ee5741c69d1989cd7885274
Instruction Fuzzy Hash: 50F01D35148644DFC706CF04D580B15FBA6FB89718F28CAADE94917B52C737D813DA91

Uniqueness

Uniqueness Score: -1.00%

Function 01960606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425603630.0000000001960000.00000040.00000020.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1960000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cde2a3a819a1abb2fa684be51f05f90cd4de1894b0ba8beee1f31ffb4bf5260
Instruction ID: b197d1aa38b9dc33a279caad485a9935809c62513677aa47ac19c904cde0e18d
Opcode Fuzzy Hash: 9cde2a3a819a1abb2fa684be51f05f90cd4de1894b0ba8beee1f31ffb4bf5260
Instruction Fuzzy Hash: 85E092B66046044B9750CF0BEC41452F7D8EB84630B08C07FDC0D8BB01D676B909CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 05F21FB7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4433320536.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5f20000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d0d82e7b8713c582cb1bce001902d0bdae2a19cfe49d71ffb865043b8687e4
Instruction ID: 7575a0b90efa0090c5f50c26ef6917e469cc5560786200b134965dd345b4c41a
Opcode Fuzzy Hash: f1d0d82e7b8713c582cb1bce001902d0bdae2a19cfe49d71ffb865043b8687e4
Instruction Fuzzy Hash: B4E0D8B264030467D7108E079C45F52FB9CDB54A30F04C56BED081B742D176B514CAE2

Uniqueness

Uniqueness Score: -1.00%

Function 05F21863 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4433320536.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5f20000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb6de2911cb9e26f79c83c5eb88a1f8a32cbf422869d026a9ad37e7b348a461
Instruction ID: ba04b2ee6660f14d9d9b16e6806c8e0083c1394dd583b84a4e71ecfacfb055d9
Opcode Fuzzy Hash: 4bb6de2911cb9e26f79c83c5eb88a1f8a32cbf422869d026a9ad37e7b348a461
Instruction Fuzzy Hash: 53E0D8B260020067D2109E079C45F53FB9CDB50A30F04C55BED091B702D172B514CEE1

Uniqueness

Uniqueness Score: -1.00%

Function 05F21E3F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4433320536.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5f20000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6a3a0a0ace3eb8f6f3d09887725634b4bd2e620e0147ad7a637101c4a73b33
Instruction ID: 692432f24e07c48814289ec1483162156f987acc9b23773a48da7c4d4fba3603
Opcode Fuzzy Hash: 1f6a3a0a0ace3eb8f6f3d09887725634b4bd2e620e0147ad7a637101c4a73b33
Instruction Fuzzy Hash: A8E0D8F260030467D6509E079C45F53FB9CDB50A30F04C55BED091B702D172B514CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0175B103 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425423395.000000000175A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_175a000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b7f04bf6fc310c9f5ab80a31602a9a69a795cff3adef7b5450ba85856c5630
Instruction ID: 89e33f155f4eb1e24e2477c6a0a1892a50caa246e27cae9f3bc4105de79e11ec
Opcode Fuzzy Hash: d1b7f04bf6fc310c9f5ab80a31602a9a69a795cff3adef7b5450ba85856c5630
Instruction Fuzzy Hash: B4E0D8B264020467D2109E079C45F52FB9CDB51A30F04C55BED095B702D172B504CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 017423F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425373811.0000000001742000.00000040.00000800.00020000.00000000.sdmp, Offset: 01742000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1742000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cc6057364e1f2263c4db8314fb8f97bd723cf2053b9c31a3c17510c0c7190f
Instruction ID: 499bf5bfd807ba137d9204bbf2efc35f435cdb3dff72297f57e6eb14fd3ff9ae
Opcode Fuzzy Hash: 54cc6057364e1f2263c4db8314fb8f97bd723cf2053b9c31a3c17510c0c7190f
Instruction Fuzzy Hash: 7BD02E393006C04FE3128A0CD1A8BA53BE4AB60704F0A00F9AC008BBA3CB28D880C200

Uniqueness

Uniqueness Score: -1.00%

Function 017423BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4425373811.0000000001742000.00000040.00000800.00020000.00000000.sdmp, Offset: 01742000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1742000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cd4296239557935555a4d0f1c04d55d61dbdacb3fd4f96960318b78afc95f3
Instruction ID: 2770e9427a8d41f62373a12a4edf8005da315b084fd440a13b2cc685cc351d85
Opcode Fuzzy Hash: f4cd4296239557935555a4d0f1c04d55d61dbdacb3fd4f96960318b78afc95f3
Instruction Fuzzy Hash: C9D05E342002814BD715DA0CD6D5F597BE4AB50B14F0644E8BC108B762C7A4D8D0CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUuUm3J8x3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\QUuUm3J8x3.exe.log

C:\Users\user\AppData\Local\Temp\server.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\444e796bc07d74246f430e63450f384ascvhost.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe

C:\Users\user\AppData\Roaming\app

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
QUuUm3J8x3.exe

Function 05094298 Relevance: 3.2, Strings: 1, Instructions: 1950
COMMON

Function 05094269 Relevance: 3.0, Strings: 1, Instructions: 1764
COMMON

Function 010CAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 010CB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 010CA6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Function 010CAE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Function 010CAAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 010CA9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 010CAC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 010CB06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Function 010CAB7C Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 010CA61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Function 010CA573 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 010CAEAE Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 010CB424 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON