Edit tour

Windows Analysis Report
L363rVr7oL.exe

Overview

General Information

Sample name:	L363rVr7oL.exe renamed because original name is a hash value
Original sample name:	2162d29eb849e9c799f3a951e52c9d4d.exe
Analysis ID:	1580557
MD5:	2162d29eb849e9c799f3a951e52c9d4d
SHA1:	386cb6a7cf616dbce0823f6ff23c1cbcb1d302e5
SHA256:	150046fc66a80e4668fc08417e422c5f97489831823c898b50ca4ed6bc5a6f12
Tags:	exenjratRATuser-abuse_ch
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Disables zone checking for all users

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

L363rVr7oL.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\L363rVr7oL.exe" MD5: 2162D29EB849E9C799F3A951E52C9D4D)

server.exe (PID: 3272 cmdline: "C:\Users\user\AppData\Local\Temp\server.exe" MD5: 2162D29EB849E9C799F3A951E52C9D4D)

netsh.exe (PID: 6520 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 4340 cmdline: netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6592 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe (PID: 6764 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe" MD5: 2162D29EB849E9C799F3A951E52C9D4D)

a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe (PID: 2892 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe" MD5: 2162D29EB849E9C799F3A951E52C9D4D)

Explower.exe (PID: 6876 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe" MD5: 2162D29EB849E9C799F3A951E52C9D4D)

Microsoft Corporation.exe (PID: 1612 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe" MD5: 2162D29EB849E9C799F3A951E52C9D4D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "Kyotzin", "Version": "0.7d", "Install Name": "a4d560bc8f8d17c6ed1c6a55f7fdc2b2", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
L363rVr7oL.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
L363rVr7oL.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
L363rVr7oL.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
L363rVr7oL.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
L363rVr7oL.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
L363rVr7oL.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Explower.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Program Files (x86)\Explower.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Program Files (x86)\Explower.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x13c88:$marker4: netsh firewall add allowedprogram 0x13c36:$marker25: netsh firewall delete allowedprogram " 0x15f6d:$key5: [PrintScreen] 0x15cb9:$del3: /c ping 0 -n 2 & del 0x13784:$sup2: Select * From AntiVirusProduct 0x13604:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x136c2:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x142e2:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14366:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14ea6:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x150f8:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x156dd:$msg5: Execute ERROR 0x15731:$msg5: Execute ERROR 0x156f9:$msg6: Download ERROR 0x157af:$msg7: Update ERROR 0x157e9:$msg7: Update ERROR 0x157c9:$msg8: Updating To 0x15a57:$reg1: SEE_MASK_NOZONECHECKS
C:\Program Files (x86)\Explower.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x13c88:$marker4: netsh firewall add allowedprogram 0x13c36:$marker25: netsh firewall delete allowedprogram " 0x15f6d:$key5: [PrintScreen] 0x15cb9:$del3: /c ping 0 -n 2 & del 0x13784:$sup2: Select * From AntiVirusProduct 0x13604:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x136c2:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x142e2:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14366:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14ea6:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x150f8:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x156dd:$msg5: Execute ERROR 0x15731:$msg5: Execute ERROR 0x156f9:$msg6: Download ERROR 0x157af:$msg7: Update ERROR 0x157e9:$msg7: Update ERROR 0x157c9:$msg8: Updating To 0x15a57:$reg1: SEE_MASK_NOZONECHECKS
C:\Program Files (x86)\Explower.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Program Files (x86)\Explower.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Program Files (x86)\Explower.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Program Files (x86)\Explower.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Program Files (x86)\Explower.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Program Files (x86)\Explower.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Notepad.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Notepad.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Notepad.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Notepad.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Notepad.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Notepad.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Notepad.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
C:\Notepad.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Notepad.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Local\Temp\server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Local\Temp\server.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\server.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Users\user\AppData\Local\Temp\server.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
C:\Users\user\AppData\Local\Temp\server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
Click to see the 67 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115f2:$a1: get_Registry 0x15a77:$a2: SEE_MASK_NOZONECHECKS 0x15719:$a3: Download ERROR 0x15cc9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c56:$a5: netsh firewall delete allowedprogram "
00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a77:$reg: SEE_MASK_NOZONECHECKS 0x156fd:$msg: Execute ERROR 0x15751:$msg: Execute ERROR 0x15cc9:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x15857:$a2: SEE_MASK_NOZONECHECKS 0x154f9:$a3: Download ERROR 0x15aa9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13a36:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15857:$reg: SEE_MASK_NOZONECHECKS 0x154dd:$msg: Execute ERROR 0x15531:$msg: Execute ERROR 0x15aa9:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: L363rVr7oL.exe PID: 5480	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: server.exe PID: 3272	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.L363rVr7oL.exe.80000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.L363rVr7oL.exe.80000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a57:$a2: SEE_MASK_NOZONECHECKS 0x156f9:$a3: Download ERROR 0x15ca9:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c36:$a5: netsh firewall delete allowedprogram "
0.0.L363rVr7oL.exe.80000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ca9:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137c2:$s1: winmgmts:\\.\root\SecurityCenter2 0x15717:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156f9:$s6: Download ERROR 0x13784:$s8: Select * From AntiVirusProduct
0.0.L363rVr7oL.exe.80000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1549b:$: set cdaudio door closed 0x1545f:$: set cdaudio door open 0x15cbf:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
0.0.L363rVr7oL.exe.80000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a57:$reg: SEE_MASK_NOZONECHECKS 0x156dd:$msg: Execute ERROR 0x15731:$msg: Execute ERROR 0x15ca9:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.L363rVr7oL.exe.80000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c36:$s1: netsh firewall delete allowedprogram 0x13c88:$s2: netsh firewall add allowedprogram 0x15ca9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156dd:$s4: Execute ERROR 0x15731:$s4: Execute ERROR 0x156f9:$s5: Download ERROR
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server.exe, ProcessId: 3272, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Suricata Signatures

ET MALWARE Bladabindi/njRAT CnC Command (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T06:22:05.558040+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49730	147.185.221.24	37290	TCP

ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T06:22:05.558040+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49730	147.185.221.24	37290	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T06:22:10.893760+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49730	147.185.221.24	37290	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: L363rVr7oL.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\server.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Notepad.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.0.L363rVr7oL.exe.80000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "Kyotzin", "Version": "0.7d", "Install Name": "a4d560bc8f8d17c6ed1c6a55f7fdc2b2", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for dropped file

Source: C:\Notepad.exe	ReversingLabs: Detection: 86%
Source: C:\Notepad.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Program Files (x86)\Explower.exe	ReversingLabs: Detection: 86%
Source: C:\Program Files (x86)\Explower.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\Explower.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Explower.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\server.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\Favorites\Explower.exe	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Explower.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: L363rVr7oL.exe	Virustotal: Detection: 77%			Perma Link
Source: L363rVr7oL.exe	ReversingLabs: Detection: 86%

Yara detected Njrat

Source: Yara match	File source: L363rVr7oL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: L363rVr7oL.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server.exe	Joe Sandbox ML: detected
Source: C:\Notepad.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: L363rVr7oL.exe

Joe Sandbox ML: detected

Source: L363rVr7oL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\L363rVr7oL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: L363rVr7oL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: L363rVr7oL.exe, Usb1.cs	.Net Code: infect
Source: server.exe.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe.1.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe0.1.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe1.1.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe2.1.dr, Usb1.cs	.Net Code: infect
Source: Notepad.exe.1.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe3.1.dr, Usb1.cs	.Net Code: infect
Source: Microsoft Corporation.exe.1.dr, Usb1.cs	.Net Code: infect
Source: a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.1.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe4.1.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe5.1.dr, Usb1.cs	.Net Code: infect

Source: L363rVr7oL.exe, 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: L363rVr7oL.exe, 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: L363rVr7oL.exe, 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: L363rVr7oL.exe, 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: L363rVr7oL.exe, 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: L363rVr7oL.exe, 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: L363rVr7oL.exe	Binary or memory string: \autorun.inf
Source: L363rVr7oL.exe	Binary or memory string: [autorun]
Source: L363rVr7oL.exe	Binary or memory string: autorun.inf
Source: Explower.exe4.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe4.1.dr	Binary or memory string: [autorun]
Source: Explower.exe4.1.dr	Binary or memory string: autorun.inf
Source: Explower.exe2.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe2.1.dr	Binary or memory string: [autorun]
Source: Explower.exe2.1.dr	Binary or memory string: autorun.inf
Source: Explower.exe1.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe1.1.dr	Binary or memory string: [autorun]
Source: Explower.exe1.1.dr	Binary or memory string: autorun.inf
Source: Explower.exe6.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe6.1.dr	Binary or memory string: [autorun]
Source: Explower.exe6.1.dr	Binary or memory string: autorun.inf
Source: Explower.exe.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe.1.dr	Binary or memory string: [autorun]
Source: Explower.exe.1.dr	Binary or memory string: autorun.inf
Source: Microsoft Corporation.exe.1.dr	Binary or memory string: \autorun.inf
Source: Microsoft Corporation.exe.1.dr	Binary or memory string: [autorun]
Source: Microsoft Corporation.exe.1.dr	Binary or memory string: autorun.inf
Source: Explower.exe3.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe3.1.dr	Binary or memory string: [autorun]
Source: Explower.exe3.1.dr	Binary or memory string: autorun.inf
Source: Explower.exe5.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe5.1.dr	Binary or memory string: [autorun]
Source: Explower.exe5.1.dr	Binary or memory string: autorun.inf
Source: server.exe.0.dr	Binary or memory string: \autorun.inf
Source: server.exe.0.dr	Binary or memory string: [autorun]
Source: server.exe.0.dr	Binary or memory string: autorun.inf
Source: Notepad.exe.1.dr	Binary or memory string: \autorun.inf
Source: Notepad.exe.1.dr	Binary or memory string: [autorun]
Source: Notepad.exe.1.dr	Binary or memory string: autorun.inf
Source: a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.1.dr	Binary or memory string: \autorun.inf
Source: a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.1.dr	Binary or memory string: [autorun]
Source: a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.1.dr	Binary or memory string: autorun.inf
Source: Explower.exe0.1.dr	Binary or memory string: \autorun.inf
Source: Explower.exe0.1.dr	Binary or memory string: [autorun]
Source: Explower.exe0.1.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 147.185.221.24:37290
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 147.185.221.24:37290
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49730 -> 147.185.221.24:37290

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.24 ports 37290,0,2,3,7,9

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.185.221.24:37290

Source: Joe Sandbox View

IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24

Source: C:\Users\user\Desktop\L363rVr7oL.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: L363rVr7oL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: L363rVr7oL.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Notepad.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_005FBDCA NtQuerySystemInformation,		1_2_005FBDCA
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_005FBD99 NtQuerySystemInformation,		1_2_005FBD99

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Windows\SysWOW64\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864298	0_2_04864298
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04865000	0_2_04865000
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_0486470F	0_2_0486470F
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864C8F	0_2_04864C8F
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864F9D	0_2_04864F9D
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_0486499D	0_2_0486499D
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864F2F	0_2_04864F2F
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864936	0_2_04864936
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864630	0_2_04864630
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864544	0_2_04864544
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_048647D4	0_2_048647D4
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_0486505D	0_2_0486505D
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04864B5B	0_2_04864B5B
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_04865459	0_2_04865459
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_048650E3	0_2_048650E3
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_0486536F	0_2_0486536F
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_048644F1	0_2_048644F1
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Code function: 0_2_048649F9	0_2_048649F9
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804290	1_2_04804290
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_048074C7	1_2_048074C7
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04807900	1_2_04807900
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804283	1_2_04804283
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804C87	1_2_04804C87
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804F95	1_2_04804F95
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804995	1_2_04804995
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_048047CC	1_2_048047CC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_048050DB	1_2_048050DB
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_048044E9	1_2_048044E9
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_048049F1	1_2_048049F1
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804FF8	1_2_04804FF8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804707	1_2_04804707
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804F27	1_2_04804F27
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804628	1_2_04804628
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_0480492E	1_2_0480492E
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_0480453C	1_2_0480453C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04805451	1_2_04805451
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04804B53	1_2_04804B53
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04805055	1_2_04805055
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04805367	1_2_04805367

Source: L363rVr7oL.exe, 00000000.00000002.1703564136.000000000058E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs L363rVr7oL.exe

Source: L363rVr7oL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: L363rVr7oL.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Notepad.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Notepad.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@17/20@0/1

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_005FBC4E AdjustTokenPrivileges,		1_2_005FBC4E
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_005FBC17 AdjustTokenPrivileges,		1_2_005FBC17

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\a4d560bc8f8d17c6ed1c6a55f7fdc2b2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03

Source: C:\Users\user\Desktop\L363rVr7oL.exe

File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt

Jump to behavior

Source: L363rVr7oL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: L363rVr7oL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\L363rVr7oL.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L363rVr7oL.exe	Virustotal: Detection: 77%
Source: L363rVr7oL.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\L363rVr7oL.exe

File read: C:\Users\user\Desktop\L363rVr7oL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L363rVr7oL.exe "C:\Users\user\Desktop\L363rVr7oL.exe"
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: shfolder.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: L363rVr7oL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\L363rVr7oL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: L363rVr7oL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: L363rVr7oL.exe, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: server.exe.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe0.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe1.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe2.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Notepad.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe3.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Microsoft Corporation.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe4.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe5.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Notepad.exe	Jump to dropped file
Source: C:\Users\user\Desktop\L363rVr7oL.exe	File created: C:\Users\user\AppData\Local\Temp\server.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Windows\SysWOW64\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Program Files (x86)\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\Favorites\Explower.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Windows\SysWOW64\Explower.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe	Memory allocated: 6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L363rVr7oL.exe	Memory allocated: 46C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 45E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Memory allocated: 34E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Memory allocated: 1550000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Memory allocated: DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Memory allocated: 4CE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 5370000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 1024	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 653	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 3924	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 543	Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 4940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 4048	Thread sleep time: -653000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 4048	Thread sleep time: -3924000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe TID: 5676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe TID: 6828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 6828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 2488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\L363rVr7oL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: L363rVr7oL.exe, 00000000.00000002.1703564136.0000000000607000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: L363rVr7oL.exe, 00000000.00000002.1703564136.0000000000607000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: netsh.exe, 00000004.00000003.1739825795.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: netsh.exe, 00000002.00000003.1721531356.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.1742587678.0000000001172000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: server.exe, 00000001.00000002.4140486625.0000000000754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\L363rVr7oL.exe

Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"

Jump to behavior

Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:57:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:34:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:19:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:46:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:38:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:24:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:45:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:16:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:14:06 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:44:57 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:30:02 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:54:16 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:55:12 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 21:48:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:23:42 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:25:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:44:14 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 02:59:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:32:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:03:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:43:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:36:49 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:52:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:45:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:10:15 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:40:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:32:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:39:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:56:49 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:14:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:52:15 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:20:57 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:32:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:39:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:50:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 21:30:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:12:08 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:20:12 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:57:49 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:29:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/05 \| 18:05:10 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:59:20 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:07:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:00:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:37:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:42:20 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:32:02 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:46:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 21:37:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:30:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:44:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:57:33 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 09:07:52 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/05 \| 17:49:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:44:02 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:24:10 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:05:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:51:29 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:11:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:21:16 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:48:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:53:52 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:45:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:22:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:48:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:01:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:03:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:51:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:23:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:11:12 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:38:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:06:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:28:42 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:48:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:04:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:36:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:26:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:51:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:58:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:26:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:13:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:28:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:51:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:11:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:54:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:10:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:12:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:58:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/27 \| 10:49:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:08:20 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:39:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:38:37 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:10:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 01:21:33 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:22:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:18:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:54:06 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:49:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:28:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:26:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:15:41 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:47:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:26:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:12:23 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:55:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:08:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:50:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:23:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:05:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:42:49 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:44:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:25:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:24:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/05 \| 17:45:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/05 \| 18:09:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:58:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/29 \| 18:41:49 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:38:16 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:19:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:18:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:18:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:30:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:38:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:42:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:31:09 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 21:57:52 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:00:53 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:17:14 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:00:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:19:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:25:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:16:29 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:16:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:46:53 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:09:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:35:14 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:55:57 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:34:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:24:20 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:31:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:39:02 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:25:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:08:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:37:42 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:59:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:26:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:23:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:20:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:56:06 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:44:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:49:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:14:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:04:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:14:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:23:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:36:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:43:23 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:24:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:41:00 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:49:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:13:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:22:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:04:46 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:02:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:18:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:31:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:27:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:04:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:55:10 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:41:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:01:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:58:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:11:29 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:31:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:57:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:41:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/29 \| 17:34:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:51:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 21:44:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:04:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:52:10 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:47:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:13:37 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:28:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:18:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:57:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:42:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:17:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:20:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:34:10 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:54:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:24:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:12:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:40:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:52:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:24:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:05:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:55:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:07:46 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:55:29 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:15:15 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:39:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:32:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:25:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:57:29 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/27 \| 13:29:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:37:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:22:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:26:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:02:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:10:21 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:34:57 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:40:08 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:43:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:24:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:13:12 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:19:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:44:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:24:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:44:09 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:24:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:33:37 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:22:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:48:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:22:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:32:08 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:17:37 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:20:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:34:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:47:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:23:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:12:53 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:47:02 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:37:00 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:22:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:23:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:21:08 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:08:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:36:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:21:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:31:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:31:14 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:55:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:31:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:23:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:11:15 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:32:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:23:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:15:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:43:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:33:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:33:46 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:21:23 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:18:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:34:09 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:43:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:22:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:58:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:37:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:47:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:19:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:47:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:39:42 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:39:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:13:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:50:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:10:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:15:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:09:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:26:09 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:25:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:28:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:08:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:59:06 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:18:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:32:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:14:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:30:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:10:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:43:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:14:41 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:33:57 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:54:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:22:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:34:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:33:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:32:15 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:08:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:26:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:46:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:59:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:17:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:32:49 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:49:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:35:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:44:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:44:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:44:53 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:09:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:13:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:47:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:03:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:04:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:24:42 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:40:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:44:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:43:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:14:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:30:53 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:33:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/05 \| 17:49:33 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:03:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:49:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:32:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:31:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:01:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:12:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:22:21 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:49:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:23:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:05:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:09:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/27 \| 10:28:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:37:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:31:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:10:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:59:22 - Program Manager
Source: L363rVr7oL.exe, Explower.exe4.1.dr, Explower.exe2.1.dr, Explower.exe1.1.dr, Explower.exe6.1.dr, Explower.exe.1.dr, Microsoft Corporation.exe.1.dr, Explower.exe3.1.dr, Explower.exe5.1.dr, server.exe.0.dr, Notepad.exe.1.dr, a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.1.dr	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:18:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:45:52 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:09:06 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:03:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:50:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:28:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:57:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:41:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:50:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:14:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:56:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:38:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:19:29 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:16:10 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:44:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:03:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:57:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:31:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:58:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:47:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:33:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:13:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:55:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:52:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:02:46 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:27:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:01:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:56:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:42:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:07:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:20:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:03:12 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:23:16 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:10:02 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:48:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:22:14 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:57:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:42:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:32:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 21:40:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:19:27 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:02:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:45:33 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:27:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:26:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:59:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:27:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:59:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/29 \| 18:43:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:50:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:42:00 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:06:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:10:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:28:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:25:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:24:22 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:18:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:36:08 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:42:10 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:22:16 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:48:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:09:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:42:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:56:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:47:18 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:32:00 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:24:52 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:26:08 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:48:00 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/05 \| 18:03:37 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:34:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:56:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 02:04:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:43:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 21:58:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:28:41 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:14:41 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 13:59:46 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:40:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:31:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:03:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:16:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:26:41 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:23:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:08:33 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 01:48:03 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:51:16 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:24:46 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:41:05 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:36:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:22:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:08:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:11:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:06:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:31:29 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:07:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 09:00:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:20:40 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:07:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 02:32:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:44:46 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:48:56 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:47:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:00:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:44:39 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:55:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:43:44 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:53:09 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:28:50 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:47:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 08:23:55 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:08:24 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 07:28:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:11:30 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 14:23:09 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 12:38:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:04:21 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:39:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:14:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:06:21 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:13:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:20:04 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:03:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:48:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/27 \| 09:38:35 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:16:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:04:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:38:28 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 00:23:53 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:30:02 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:14:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:26:15 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:39:45 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:16:06 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:43:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 04:04:43 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:59:34 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:37:53 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:16:15 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:30:51 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:26:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:10:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:50:48 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:10:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/05 \| 18:00:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:24:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:09:42 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:58:11 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:14:19 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:18:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:44:01 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:55:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 03:13:13 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:54:47 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:09:38 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:42:59 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:23:36 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:50:41 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 03:07:06 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 10:15:17 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:55:57 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 22:09:33 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 08:08:12 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 06:13:25 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/07 \| 23:14:26 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 05:05:07 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 09:24:31 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 07:45:08 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 05:05:54 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 04:16:32 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/10 \| 06:13:58 - Program Manager
Source: server.exe, 00000001.00000002.4141604873.00000000038F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/03 \| 11:56:31 - Program Manager

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: L363rVr7oL.exe, Fransesco.cs	.Net Code: INS
Source: server.exe.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe0.1.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe1.1.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe2.1.dr, Fransesco.cs	.Net Code: INS
Source: Notepad.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe3.1.dr, Fransesco.cs	.Net Code: INS
Source: Microsoft Corporation.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe4.1.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe5.1.dr, Fransesco.cs	.Net Code: INS

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\server.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Source: C:\Users\user\Desktop\L363rVr7oL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\L363rVr7oL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: L363rVr7oL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: L363rVr7oL.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: L363rVr7oL.exe, type: SAMPLE
Source: Yara match	File source: 0.0.L363rVr7oL.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: L363rVr7oL.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	1 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	32 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
L363rVr7oL.exe	77%	Virustotal		Browse
L363rVr7oL.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
L363rVr7oL.exe	100%	Avira	TR/Dropper.Gen
L363rVr7oL.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\server.exe	100%	Avira	TR/Dropper.Gen
C:\Notepad.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server.exe	100%	Joe Sandbox ML
C:\Notepad.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Notepad.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Notepad.exe	77%	Virustotal		Browse
C:\Program Files (x86)\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Program Files (x86)\Explower.exe	77%	Virustotal		Browse
C:\Users\user\AppData\Local\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Explower.exe	77%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	77%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Temp\server.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\Favorites\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Windows\SysWOW64\Explower.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580557
Start date and time:	2024-12-25 06:21:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	L363rVr7oL.exe renamed because original name is a hash value
Original Sample Name:	2162d29eb849e9c799f3a951e52c9d4d.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.evad.winEXE@17/20@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 113 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:22:34	API Interceptor	253651x Sleep call for process: server.exe modified
05:22:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe
05:22:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
05:22:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.24	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse
	PjGz899RZV.exe	Get hash	malicious	XWorm	Browse
	ehxF3rusxJ.exe	Get hash	malicious	XWorm	Browse
	Client-built-Playit.exe	Get hash	malicious	Quasar	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse
	72OWK7wBVH.exe	Get hash	malicious	XWorm	Browse
	aZDwfEKorn.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	WO.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	reddit.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	147.176.119.110
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.18
	dr2YKJiGH9.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse	147.185.221.24

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Notepad.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Notepad.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Notepad.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Notepad.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 77%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Program Files (x86)\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 77%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 77%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\L363rVr7oL.exe.log

Download File

Process:	C:\Users\user\Desktop\L363rVr7oL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 77%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Temp\server.exe

Download File

Process:	C:\Users\user\Desktop\L363rVr7oL.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\app

Download File

Process:	C:\Users\user\Desktop\L363rVr7oL.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:j:j
MD5:	CAC4598FDC0F92181616D12833EB6CA1
SHA1:	80A7B7A46A0E8E674B782B9EB569E5430A69C84B
SHA-256:	275918973C23AD700F278C69CC03C9C82EC9F4D9ED0F53111AD22BEC197FF440
SHA-512:	01A7556BFCCE6D9D8251AADC7F6E6169FDD0477D487CE88729C44BFE8B85B2EEE500985D553C0479765EF5B5C6DC3517C0305EFB9089814C3F8A9EA6FC51C713
Malicious:	false
Preview:	.25

C:\Users\user\Favorites\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Windows\SysWOW64\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.566087372113848
Encrypted:	false
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
MD5:	2162D29EB849E9C799F3A951E52C9D4D
SHA1:	386CB6A7CF616DBCE0823F6FF23C1CBCB1D302E5
SHA-256:	150046FC66A80E4668FC08417E422C5F97489831823C898B50CA4ED6BC5A6F12
SHA-512:	64CE9074FE48C0A7BD640FF9F00F56DA340F0CC2D13E34C3AA5BCCF00F675287B02E7AAA73252669FF9591D646B9C400E0AF11EFE710CCCECA4AEED59D7A323A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.566087372113848
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	L363rVr7oL.exe
File size:	95'232 bytes
MD5:	2162d29eb849e9c799f3a951e52c9d4d
SHA1:	386cb6a7cf616dbce0823f6ff23c1cbcb1d302e5
SHA256:	150046fc66a80e4668fc08417e422c5f97489831823c898b50ca4ed6bc5a6f12
SHA512:	64ce9074fe48c0a7bd640ff9f00f56da340f0cc2d13e34c3aa5bccf00f675287b02e7aaa73252669ff9591d646b9c400e0af11efe710ccceca4aeed59d7a323a
SSDEEP:	1536:oGlTr1IDavlZhbSc39YdjEwzGi1dDhDrgS:oGlSDavlZI8mqi1dtk
TLSH:	E393D74977E96524E0BF56F79471F2404E34B44B1602E3DE48E219AA1B33AC44F89FEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.dg.................p............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x418f2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6764BD3F [Fri Dec 20 00:41:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ed8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16f34	0x17000	61956d34bc5d78a30332736e7e6adbc1	False	0.3681746773097826	data	5.597769782353942	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	e48d2faea29e6ca7099ba682bb7e1db9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-25T06:22:05.558040+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49730	147.185.221.24	37290	TCP
2024-12-25T06:22:05.558040+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49730	147.185.221.24	37290	TCP
2024-12-25T06:22:10.893760+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49730	147.185.221.24	37290	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 06:22:05.271116972 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:05.390943050 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:05.391037941 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:05.558039904 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:05.677766085 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:05.677862883 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:05.797574043 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:10.893759966 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:11.013561010 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:12.741012096 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:12.747204065 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:12.866935015 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:30.745570898 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:30.748234987 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:30.867980957 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:48.765450954 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:22:48.765724897 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:22:48.885437012 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:23:06.862919092 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:23:06.863156080 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:23:06.982745886 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:23:24.845117092 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:23:24.845402956 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:23:24.965039015 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:23:42.890005112 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:23:42.890882969 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:23:43.010442019 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:00.929874897 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:00.930094957 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:24:01.049678087 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:18.991259098 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:18.993832111 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:24:19.113857031 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:37.009954929 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:37.010262012 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:24:37.129859924 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:54.999661922 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:24:54.999946117 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:24:55.119740963 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:25:13.064650059 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:25:13.064943075 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:25:13.184617996 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:25:31.124758959 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:25:31.125039101 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:25:31.244745016 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:25:49.159647942 CET	37290	49730	147.185.221.24	192.168.2.4
Dec 25, 2024 06:25:49.159897089 CET	49730	37290	192.168.2.4	147.185.221.24
Dec 25, 2024 06:25:49.279597998 CET	37290	49730	147.185.221.24	192.168.2.4

Target ID:	0
Start time:	00:21:55
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\L363rVr7oL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\L363rVr7oL.exe"
Imagebase:	0x80000
File size:	95'232 bytes
MD5 hash:	2162D29EB849E9C799F3A951E52C9D4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1704428155.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1677861095.0000000000082000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:21:57
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Local\Temp\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server.exe"
Imagebase:	0x30000
File size:	95'232 bytes
MD5 hash:	2162D29EB849E9C799F3A951E52C9D4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	00:21:59
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:21:59
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:22:01
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:22:01
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:22:01
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:22:01
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:22:10
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe"
Imagebase:	0x490000
File size:	95'232 bytes
MD5 hash:	2162D29EB849E9C799F3A951E52C9D4D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:22:10
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe"
Imagebase:	0xd80000
File size:	95'232 bytes
MD5 hash:	2162D29EB849E9C799F3A951E52C9D4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:22:18
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
Imagebase:	0x6a0000
File size:	95'232 bytes
MD5 hash:	2162D29EB849E9C799F3A951E52C9D4D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:22:18
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:22:26
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Imagebase:	0xe40000
File size:	95'232 bytes
MD5 hash:	2162D29EB849E9C799F3A951E52C9D4D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 04864298 Relevance: 7.0, Strings: 4, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
@, xrefs: 04864C24
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: @$\Ok$|ti$2k
API String ID: 0-1448379396
Opcode ID: a3e6f8026688b973000b8e91edb0ed4b29c6d4540b665401ff93fdc3b2279f15
Instruction ID: 75cf77f2a7b1067652612823fe7242f38fe04848f9ea8290a187874061919056
Opcode Fuzzy Hash: a3e6f8026688b973000b8e91edb0ed4b29c6d4540b665401ff93fdc3b2279f15
Instruction Fuzzy Hash: 89235D74A11128CFDB25EF34D964BADB7B2BB49304F1041EAD909A7399DB399E81CF40

Function 04860879 Relevance: 3.8, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XRi, xrefs: 048608F8
HQi, xrefs: 048608D3
Pi, xrefs: 048608AE

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: HQi$XRi$Pi
API String ID: 0-3528959962
Opcode ID: 577c861c0384496d98f4c2dd0ec4e05955cb1f7df9ee59504e33e90c637e869b
Instruction ID: c03b290c762ed677d98e7b0798e4a16e821f4be44552918c4022900c78108630
Opcode Fuzzy Hash: 577c861c0384496d98f4c2dd0ec4e05955cb1f7df9ee59504e33e90c637e869b
Instruction Fuzzy Hash: 910184301153428FCB11FF38D65895D7BE6AFC5348B00592DE485CBB6AEB389945CB43

Function 04863802 Relevance: 3.0, Strings: 2, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 04863C2E
\Ok, xrefs: 04863885

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: ee603bdd82aabad3f49a81a40fe68b269552666193bbf2070086723463d276f4
Instruction ID: 562930ae27224849332daeb9be1d3f669ea6dd7c861ccd549c920baee38c8cd7
Opcode Fuzzy Hash: ee603bdd82aabad3f49a81a40fe68b269552666193bbf2070086723463d276f4
Instruction Fuzzy Hash: DF324D30A00218CFCB25EF74D855BEDB7B2AF49308F1045AAD40AAB399DB399D81CF40

Function 048600B8 Relevance: 2.6, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 048601A8
2k, xrefs: 04860154

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: 2k$2k
API String ID: 0-107389494
Opcode ID: 8017d81950d489db44bf7b24148b383a1fa4d6444fcd9563a95ad122595fabe5
Instruction ID: ff4973313bb90baa0fc8ed131d78e8c93c10cad6ace2fe34e06c51fd78db432a
Opcode Fuzzy Hash: 8017d81950d489db44bf7b24148b383a1fa4d6444fcd9563a95ad122595fabe5
Instruction Fuzzy Hash: B031F7317043405FDB15EB74982276D3BAB9B82258F2449BED041DF3D6CF7A5C4587A2

Function 04860118 Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 048601A8
2k, xrefs: 04860154

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: 2k$2k
API String ID: 0-107389494
Opcode ID: 550fec86e903d61be2667205dbeefe5c02cfe1408a1ed198e305ddec91293732
Instruction ID: f1ec83f849b6405f530384af6499fb29bf7e4f5661c2a0bef85baeda6a68479b
Opcode Fuzzy Hash: 550fec86e903d61be2667205dbeefe5c02cfe1408a1ed198e305ddec91293732
Instruction Fuzzy Hash: E911E5347042504FC715BB78A4226B9279B5BC228872458BEC002DF35BCF7D8C4A87A2

Function 0068AA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0068AB25

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a2709a79813805c4f2c2ebc1ef7189e861ef0cba578280d61c215ee245a5014d
Instruction ID: 0528c558fcd5eca6a64c48d1151a539a50c840d15515f3b173e53835c5517173
Opcode Fuzzy Hash: a2709a79813805c4f2c2ebc1ef7189e861ef0cba578280d61c215ee245a5014d
Instruction Fuzzy Hash: 2731A071504380AFE721CF65DD84F96BBF8EF05320F0889AAE9858B652D375E808CB61

Function 0068B036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0068B0DD

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7f4cb2210f4fe7e4d21dcc8cfa4fb6255b54ed1e08f30b707b533bf959ec9b07
Instruction ID: ab67e82e09b03fe109628f5f0d54ffe17e453ee1cef27c2a701c45f7306df66a
Opcode Fuzzy Hash: 7f4cb2210f4fe7e4d21dcc8cfa4fb6255b54ed1e08f30b707b533bf959ec9b07
Instruction Fuzzy Hash: B031AFB15093806FE721DB25DD95B96BFF8EF06310F08849AE984CF293D374A908C762

Function 0068A6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0068A77E

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: d00899ec4ac458dac8f247e77328f36bddd5f475f5fcaca90cc9e8a7796ba92f
Instruction ID: d4e494b73444b83e801645731df14eb7e7f579c537c9f4e0a8f82d1113beec6e
Opcode Fuzzy Hash: d00899ec4ac458dac8f247e77328f36bddd5f475f5fcaca90cc9e8a7796ba92f
Instruction Fuzzy Hash: 9931807504D3C06FD3138B259C61B61BFB4EF47610F0A40DBE884CB6A3D2296919D7B2

Function 0068AE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,E0613B62,00000000,00000000,00000000,00000000), ref: 0068AF0D

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 60cbc0333467f2a0a44c73f93f95c30850a11d2233f498a258d064e237f292f3
Instruction ID: af9a59d56b751d21741272569059b6970344c938d8d2c25be193a67f63fd3e44
Opcode Fuzzy Hash: 60cbc0333467f2a0a44c73f93f95c30850a11d2233f498a258d064e237f292f3
Instruction Fuzzy Hash: C921B1B2409380AFE722CF55DD44F96BFB8EF06314F08859AE9849F162D234A908CB61

Function 0068AAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0068AB25

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bf30f45d9196b2adcef39b46239c0bc811ce4d002cf04c7868fdda2b8f9fc813
Instruction ID: 6101645a3b32c3c5c936d7e681966130fef0abc58d4161c3ddf67f6fb39736a7
Opcode Fuzzy Hash: bf30f45d9196b2adcef39b46239c0bc811ce4d002cf04c7868fdda2b8f9fc813
Instruction Fuzzy Hash: 9F219F71500200AFEB20DF69DD45BA6FBE9EF08320F04896AED458B751D375E808CB72

Function 0068A9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 0068AA44

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ee7c8775259dedf724b777374653cf2f1ec0421015c3111745805fc14a67efcb
Instruction ID: 5925b14c61763c1acc107d39109dc8679cfc475c7b9bfbecccfddc6a5943ed14
Opcode Fuzzy Hash: ee7c8775259dedf724b777374653cf2f1ec0421015c3111745805fc14a67efcb
Instruction Fuzzy Hash: 8B217A7540E7C09FDB138B258C64A51BFB4AF17620F0E81DBD9848F6A3D1689C08C772

Function 0068AC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,E0613B62,00000000,00000000,00000000,00000000), ref: 0068ACBD

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: efcc29a56038d61f18001f6fc419d388ddb3379e366656911963f39fe104cdc9
Instruction ID: 5efaca705a710d85ed3654bf7100d1b4ebcb3007c8aee84385a236b8d010ac10
Opcode Fuzzy Hash: efcc29a56038d61f18001f6fc419d388ddb3379e366656911963f39fe104cdc9
Instruction Fuzzy Hash: 8121D5B54087806FE7228B55DC45BA2BFBCDF46314F0885DBE9848F293D264AD09D772

Function 0068B06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0068B0DD

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a2a034682974e4f7d11208cc2ad18af32192030611a5fe6ea2b29e6157fbe04c
Instruction ID: 93a4e29a9b445e07e8bcada9c4019b39d4a6dd533b59db3d299850f169b12395
Opcode Fuzzy Hash: a2a034682974e4f7d11208cc2ad18af32192030611a5fe6ea2b29e6157fbe04c
Instruction Fuzzy Hash: E22192716002449FE720DF29DD45BA6FBE8EF08324F148969E9458B782D775E908CB72

Function 0068A61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 0068A690

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 44312dc0971d4dca933e1a5054eb22894b5555cd19e5dd6174da03ecf1c64545
Instruction ID: b02fdb5805ce8339a1d98a498dec47aace88eca22ea31b2de97db1aa159f3092
Opcode Fuzzy Hash: 44312dc0971d4dca933e1a5054eb22894b5555cd19e5dd6174da03ecf1c64545
Instruction Fuzzy Hash: FE21497140D3C05FDB128B259C94692BFB49F07220F0984DBD9848F2A7D2695948C7B2

Function 0068A573 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0068A5DE

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ccf6a9b243b145082388c1ba2d54e16fc3e759e1207d0d9795821049d59391eb
Instruction ID: 1920fdaa276604123e86da717ffbc19dabe67c0a46d002647a3fbf205e893360
Opcode Fuzzy Hash: ccf6a9b243b145082388c1ba2d54e16fc3e759e1207d0d9795821049d59391eb
Instruction Fuzzy Hash: 7A11B771408780AFDB228F50DC44B62FFF4EF4A310F0888DAED858B562D235A818DB61

Function 0068AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,E0613B62,00000000,00000000,00000000,00000000), ref: 0068AF0D

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 19eacbddb9a7ab546b82e5928d61404fc128ad5516d00a69b3ad255bfb1db3d3
Instruction ID: ed28677b28af17fd43e9b21c633712a146fee90c8840908f7f97ccb05747b151
Opcode Fuzzy Hash: 19eacbddb9a7ab546b82e5928d61404fc128ad5516d00a69b3ad255bfb1db3d3
Instruction Fuzzy Hash: 37110871500700AFE731DF55DD44FA6FBE8EF04310F14896AEE459B651D335A9088BB2

Function 0068B424 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 0068B480

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 1ae46505a64c4ae1a59f10009fbbf409d09bfeddd932939e85ce43313ad5e5a8
Instruction ID: 7376d46dc286dd819f26d7be5a3effacd048213c129572054c9dc8728a18ebb2
Opcode Fuzzy Hash: 1ae46505a64c4ae1a59f10009fbbf409d09bfeddd932939e85ce43313ad5e5a8
Instruction Fuzzy Hash: 1D1160755093809FD712CF25DC95B52BFE8DF46220F0884EAED89CF257D274A948CB61

Function 0068AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,E0613B62,00000000,00000000,00000000,00000000), ref: 0068ACBD

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 46febf6e6acf9492587ab0b55560b2b36bdb8dc027b08f4a3847272e0aec8b7f
Instruction ID: 0f8d13f95935e79f236ecc6d7e057764c387171cb53c1e8eb32c128a81ed8707
Opcode Fuzzy Hash: 46febf6e6acf9492587ab0b55560b2b36bdb8dc027b08f4a3847272e0aec8b7f
Instruction Fuzzy Hash: A1010071500200AFE7209B49DD85BA6BBA8DF04324F14C5AAEE058B741D278A8488AA2

Function 0068B446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 0068B480

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 3781decb301b9e8afdf879de3a8bd801583f2070c0ee0edd188e730b017755c9
Instruction ID: 03186fe032f3d76b4f6b4fb501ae2a537f7dbeb84f03c5770c313b1c2a33009d
Opcode Fuzzy Hash: 3781decb301b9e8afdf879de3a8bd801583f2070c0ee0edd188e730b017755c9
Instruction Fuzzy Hash: 690180716042448FEB10DF19D9857A6BBE8EF04720F08C4AADD49CB756D379E848CBA1

Function 0068A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0068A5DE

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7087df1753753cc173cbb26676bec63e9b2d8c3335bf62b41511e273a211ba44
Instruction ID: 13a06c15840d3cd350207d1d8277159b159a6c5bec5494c51ec0f016cd770539
Opcode Fuzzy Hash: 7087df1753753cc173cbb26676bec63e9b2d8c3335bf62b41511e273a211ba44
Instruction Fuzzy Hash: F801C4724007009FEB209F95D944B62FFE1EF08320F08C9AADE4A4B615D376E454DF62

Function 0068A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0068A77E

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 057d7df2e266ef2db735901c92790fa1d6e30ae8a5acc89ead4ccc6ae5348a4b
Instruction ID: 5c9d4f08af770a9d8e4017b3a793d2a2a0b443cc7483d57baa07dc52dd5636cf
Opcode Fuzzy Hash: 057d7df2e266ef2db735901c92790fa1d6e30ae8a5acc89ead4ccc6ae5348a4b
Instruction Fuzzy Hash: CD01A271500200ABD250DF1ACD46B66FBE8FB88A20F148159EC089BB41E771F915CBE6

Function 0068A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0068A690

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c27cce58ccfa241e2c05240093402727efbb64a91cb839f238348930efb07b1a
Instruction ID: d3e3950b4f80cfc5a81f8650f471a7b0bbf460c4c59eb58968521ea09ecd34ae
Opcode Fuzzy Hash: c27cce58ccfa241e2c05240093402727efbb64a91cb839f238348930efb07b1a
Instruction Fuzzy Hash: 3C01A2719042408FEB10DF55D984765FBE4DF04320F18C4ABDD498F756E279A884CFA2

Function 0068AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0068AA44

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8553350ac981313827dc621ea9770e80bc56b871c50b2a5ebaa289fe69ba8371
Instruction ID: 6c800b1cb99b402290ba868368f4292ce82cef24ea36addddc0724b3c0c8e774
Opcode Fuzzy Hash: 8553350ac981313827dc621ea9770e80bc56b871c50b2a5ebaa289fe69ba8371
Instruction Fuzzy Hash: 46F0F4754002408FEB209F49D984761FBE0DF04320F08C0AADD490BB52D279E848CFA2

Function 048639BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

2k, xrefs: 04863C2E

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: 6ec37da762dd99bb5fadca632fdd2109c7daaf3c8647418ab1d7d3c16906c20c
Instruction ID: 93eebd058c4d6dccf986d67dedb0a0a0854e41b5cb13f399548dfee308eca675
Opcode Fuzzy Hash: 6ec37da762dd99bb5fadca632fdd2109c7daaf3c8647418ab1d7d3c16906c20c
Instruction Fuzzy Hash: 92817A30A00218CFDB24EFB4C855BECB7B2AF45308F1045AAD40AAB398DB799D85CF51

Function 04863B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

2k, xrefs: 04863C2E

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: 109347aaf1eb914e8be0c3f28f470eef4f44e250277d679059eb864cd65480d5
Instruction ID: fe3d0c68970138e95223166d5f0b43b551a8c0bef0c04c9a2041b7ce97b37959
Opcode Fuzzy Hash: 109347aaf1eb914e8be0c3f28f470eef4f44e250277d679059eb864cd65480d5
Instruction Fuzzy Hash: 35417A30A002188FDB24EFB4C955BECB7F2AF45308F1045AAD40AAB695DB795E85CF51

Function 0068AB7C Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0068ABF0

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d3771cc569695555b04b6bad9648f41b1ad6b0044847a599002fc54219de4c28
Instruction ID: aaae23306e8e0aeb61295622685e245633fde60112adde07ab3a24444f5cfc9a
Opcode Fuzzy Hash: d3771cc569695555b04b6bad9648f41b1ad6b0044847a599002fc54219de4c28
Instruction Fuzzy Hash: 7A21C2B55097C09FD7128F25DC95692BFB8EF07320F0985DBDD858F2A3D2645908CB62

Function 0068ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0068ABF0

Memory Dump Source

Source File: 00000000.00000002.1703812694.000000000068A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_68a000_L363rVr7oL.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0248c16626d39dd19b33f24b098dc61ab16ffeb6205058fc6a462eabdc168251
Instruction ID: 04bd6973d58be66832ee401e0472ff9081f015808a2bb4bb0d98d11e501f248f
Opcode Fuzzy Hash: 0248c16626d39dd19b33f24b098dc61ab16ffeb6205058fc6a462eabdc168251
Instruction Fuzzy Hash: 6C01D4715042408FEB109F59D9847A5FBE4DF04320F08C4ABDD498F752D279E844CBA2

Function 04860958 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cb9454d3bbf8dd304e7fb1eeb023ab6c7cebc4e0736415a3abbab4c507ffdf
Instruction ID: 9a0935c108bd19c0b3d8c1c97a4206c85500ba6dc4e6815799dea47605513dc8
Opcode Fuzzy Hash: c7cb9454d3bbf8dd304e7fb1eeb023ab6c7cebc4e0736415a3abbab4c507ffdf
Instruction Fuzzy Hash: C5312330B102114FCB11FB78D8127BE33A79B89208F10483A9406D77A9EF3DAC1687D2

Function 00C605DF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704250084.0000000000C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_L363rVr7oL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0394b69c8648c36022c934e1af521c75a4d8c57c9ec9a2c89454f84a04086784
Instruction ID: 5e2c270b454bc994f74320d970cb0e530b0fab794f8bd7e92b38ab5d12de36ae
Opcode Fuzzy Hash: 0394b69c8648c36022c934e1af521c75a4d8c57c9ec9a2c89454f84a04086784
Instruction Fuzzy Hash: 3901DBB540D3905FD7118F059C50862FFF8DF46230709C4AFEC498B712D229A809CBB2

Function 00C60606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704250084.0000000000C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_L363rVr7oL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1328ee52c5b8469b93f687e9ee13f59e7c24594cc643e08404d56ea985cf41ae
Instruction ID: fb5165ee3251105b79946469e5adf45bd74eca9ac76a80a67d018436e3df8fb1
Opcode Fuzzy Hash: 1328ee52c5b8469b93f687e9ee13f59e7c24594cc643e08404d56ea985cf41ae
Instruction Fuzzy Hash: FDE092B6A046404B9650CF0AFC41452F7D8EB88630708C47FDC0D8BB11E235B908CAA5

Function 048636A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b32e1cd9913cd3fd7515604c780e8e68b5a9e079969f01600c7b795c604016d
Instruction ID: 12fe27f68caf674ed110a22fc1272722347aec96700ac043f01684115e73d55d
Opcode Fuzzy Hash: 9b32e1cd9913cd3fd7515604c780e8e68b5a9e079969f01600c7b795c604016d
Instruction Fuzzy Hash: 29E017752663518FCB1A1B38A2666583B35EF4734D35108EFC8858B2A7DB3A9543C711

Function 006823F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703798143.0000000000682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_682000_L363rVr7oL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32430a343d6694f8315c6cdc552bb29fc9420dd6cbaeebeb4118150702235d7
Instruction ID: ff24bcd7f67d9c612140de8a36632094a6a8778ce4994c88950a1e02e6365a51
Opcode Fuzzy Hash: f32430a343d6694f8315c6cdc552bb29fc9420dd6cbaeebeb4118150702235d7
Instruction Fuzzy Hash: 1ED02E392006C24FD322AA0CC2A4FC537D4AB40708F4A04FAA800CB763C7A8D8D0C210

Function 006823BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703798143.0000000000682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_682000_L363rVr7oL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c03fda84d262e496480ff131b068c35d8503e374f8271c66acec0143e26634
Instruction ID: 0e5b353075b29eed52ce40461d9ba359ab81deab155b1a89124b1a85617ece64
Opcode Fuzzy Hash: 93c03fda84d262e496480ff131b068c35d8503e374f8271c66acec0143e26634
Instruction Fuzzy Hash: A4D05E342002824FC726EA0CC2F4F9937D5AF40714F0645E8BC108B762C7A8DDC0DA00

Non-executed Functions

Function 048644F1 Relevance: 6.6, Strings: 4, Instructions: 1624COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: 4efd153f6933678f6e5f75861521f0e3a770b6f89d27f74635e78b9c1f5ec92b
Instruction ID: e6103bd724d8c2db7422369db53c4490e93689f301e452ea0e0a092b57131b7b
Opcode Fuzzy Hash: 4efd153f6933678f6e5f75861521f0e3a770b6f89d27f74635e78b9c1f5ec92b
Instruction Fuzzy Hash: 32036E74A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD909A7399DB395E80CF40

Function 04864544 Relevance: 6.6, Strings: 4, Instructions: 1618COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: b759a13056fa4c714f5c847c2b9a7bd0f429754508013acc02de3b85027c439f
Instruction ID: e1b2bd9798c4f1d7abb3a7532ca14f2654bccb11d656013aee429d63f1633715
Opcode Fuzzy Hash: b759a13056fa4c714f5c847c2b9a7bd0f429754508013acc02de3b85027c439f
Instruction Fuzzy Hash: CC036D74A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD909A7399DB395E80CF40

Function 04864630 Relevance: 6.6, Strings: 4, Instructions: 1579COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: 98f85f3d9ad6f809fecd418d4728a9ac252f2e202497d1b46f16ae17c11e094a
Instruction ID: f07f42ff81890414abb12222a41c24ea0ea171b0ef3ac1065984e07065e26d73
Opcode Fuzzy Hash: 98f85f3d9ad6f809fecd418d4728a9ac252f2e202497d1b46f16ae17c11e094a
Instruction Fuzzy Hash: 8C036E74A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD909A7399DB395E80CF40

Function 0486470F Relevance: 6.5, Strings: 4, Instructions: 1544COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: b6601cbf44ce793c405a846388ce0033f29965c94cfd3ed8dc05892d6467b42c
Instruction ID: 8dd063dc111a2b101fd5600454b3a760fca3225164241062d21d20d876c2904c
Opcode Fuzzy Hash: b6601cbf44ce793c405a846388ce0033f29965c94cfd3ed8dc05892d6467b42c
Instruction Fuzzy Hash: B1F26E74A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD909A7399DB395E80CF40

Function 048647D4 Relevance: 6.5, Strings: 4, Instructions: 1513COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: b5b737ebe864d508514b850d9b39e64fd7abd5d978b7f7afc019f995e2a8c0f0
Instruction ID: d621739b66454efa9c6685510c29f7a0024c938df2662a306684660fd380cfe1
Opcode Fuzzy Hash: b5b737ebe864d508514b850d9b39e64fd7abd5d978b7f7afc019f995e2a8c0f0
Instruction Fuzzy Hash: A0F26E74A11128CFDB25EF34D964BA9B7B2FB49304F1051EAD909A73A9DB395E80CF40

Function 04864936 Relevance: 6.5, Strings: 4, Instructions: 1456COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: 0837d4bfd0e70cdd3f63bbb5efd51aaddcc061e8483c415961c76b729fa0c478
Instruction ID: 3756746b5d21bc731efab92b1885bdde6a9814e6e5872e5ebc26af8d27f024cb
Opcode Fuzzy Hash: 0837d4bfd0e70cdd3f63bbb5efd51aaddcc061e8483c415961c76b729fa0c478
Instruction Fuzzy Hash: 49F27E74A11228CFDB25EF34D864BA9B7B2FB49304F1051EAD949A7399DB395E80CF40

Function 0486499D Relevance: 6.4, Strings: 4, Instructions: 1447COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: 5439633310c2e2640328fa9da45c7bdbcd19e7b4197a93bcb49c9c932cc66b1e
Instruction ID: 5ba50517adfe020eeb060f5f6a19f9af549f226481f882b963c061adef847fb8
Opcode Fuzzy Hash: 5439633310c2e2640328fa9da45c7bdbcd19e7b4197a93bcb49c9c932cc66b1e
Instruction Fuzzy Hash: 4EF27E74A11228CFDB25EF34D864BA9B7B2FB49304F1051EAD949A7399DB395E80CF40

Function 048649F9 Relevance: 6.4, Strings: 4, Instructions: 1440COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: 28b0b01948d4cc9bb23cd76bbfaa318c09dc75a4e5e875fbc0abacc589d86682
Instruction ID: a18705740bf2ac342a5baacd0f3b649d95f4f85a1505199479743eb07ce38895
Opcode Fuzzy Hash: 28b0b01948d4cc9bb23cd76bbfaa318c09dc75a4e5e875fbc0abacc589d86682
Instruction Fuzzy Hash: 3FF26E74A11228CFDB25EF34D864BA9B7B2FB49304F1051EAD949A7399DB395E80CF40

Function 04864B5B Relevance: 6.4, Strings: 4, Instructions: 1383COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D
, xrefs: 04864BC4

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: $\Ok$|ti$2k
API String ID: 0-897444909
Opcode ID: 237a15c6e1d3fa6678daed72f4662f24cd6e8907c9d14d032a8ff58fab397267
Instruction ID: 48370f26185193075e8a1dfa0a8fe854015c38687f46b1ba983ae012fa22098a
Opcode Fuzzy Hash: 237a15c6e1d3fa6678daed72f4662f24cd6e8907c9d14d032a8ff58fab397267
Instruction Fuzzy Hash: 1FE27E74A11228CFDB25EF34D964BA9B7B2FB49304F1041EAD949A7399DB395E80CF40

Function 04864C8F Relevance: 5.1, Strings: 3, Instructions: 1362COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$|ti$2k
API String ID: 0-1839758915
Opcode ID: a3c75a377edef1dd8005ab77b6792f0f798a6a58491dffe45c3c5ac07e3920cf
Instruction ID: 3c695c748c6e957a9a4a1ab9c01fe39b2a546dd3c08fa72a66477c23f9a85c7b
Opcode Fuzzy Hash: a3c75a377edef1dd8005ab77b6792f0f798a6a58491dffe45c3c5ac07e3920cf
Instruction Fuzzy Hash: ADE27E74A11228CFDB25EF34D864BA9B7B2FB49304F1051EAD949A7399DB395E80CF40

Function 04864F2F Relevance: 5.0, Strings: 3, Instructions: 1245COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$|ti$2k
API String ID: 0-1839758915
Opcode ID: a03b18db635c69651f431ce0a6f0187cb34b1054bcd789fe3011c6f887df4756
Instruction ID: d970448d36d97aa0bff7afcb73afc1f8dd36f104e030c75ced6b30d0a657abc8
Opcode Fuzzy Hash: a03b18db635c69651f431ce0a6f0187cb34b1054bcd789fe3011c6f887df4756
Instruction Fuzzy Hash: 5BD25074A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD849A7399DB355E80CF40

Function 04864F9D Relevance: 5.0, Strings: 3, Instructions: 1236COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$|ti$2k
API String ID: 0-1839758915
Opcode ID: affa1ad3478671d814d094976ad21ee2628678c92a0415896c6e86d7ae892e16
Instruction ID: 3f6b825640ff5c5c643f07b1f9433fdaefd6c6452c90dcd502ad85b73429b59b
Opcode Fuzzy Hash: affa1ad3478671d814d094976ad21ee2628678c92a0415896c6e86d7ae892e16
Instruction Fuzzy Hash: D0D25074A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD849A73A9DB355E80CF40

Function 04865000 Relevance: 5.0, Strings: 3, Instructions: 1230COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$|ti$2k
API String ID: 0-1839758915
Opcode ID: de765056d052f9803039ee45534361bb55dac0c0a6ad614b687ee8424cc03186
Instruction ID: 961bac83234effbfdb572b41fbfc9bdce149893112592c1fe99c35483f814a4d
Opcode Fuzzy Hash: de765056d052f9803039ee45534361bb55dac0c0a6ad614b687ee8424cc03186
Instruction Fuzzy Hash: 69D25F74A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD849A73A9DB355E80CF40

Function 0486505D Relevance: 5.0, Strings: 3, Instructions: 1225COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$|ti$2k
API String ID: 0-1839758915
Opcode ID: 004e575a7503275c24a55bb9274b661ff64b0601413478d129a3c7f70894faf2
Instruction ID: a8f2dc1ef3054d72851e28a4cb26df9a2988ec63bf321516cea2d2d3b7e10aef
Opcode Fuzzy Hash: 004e575a7503275c24a55bb9274b661ff64b0601413478d129a3c7f70894faf2
Instruction Fuzzy Hash: 4ED25F74A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD849A73A9DB355E80CF40

Function 048650E3 Relevance: 5.0, Strings: 3, Instructions: 1210COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$|ti$2k
API String ID: 0-1839758915
Opcode ID: 490fe9256d4630fb439083d09138d629e67ca96c60eed0cc1159230130a3bbd4
Instruction ID: b204f183d9dac344438df8929f3fc9947e19a7674ca6b3e2609838a55b9703c5
Opcode Fuzzy Hash: 490fe9256d4630fb439083d09138d629e67ca96c60eed0cc1159230130a3bbd4
Instruction Fuzzy Hash: ADD25F74A11228CFDB25EF34D964BA9B7B2FB49304F1051EAD849A73A9DB355E80CF40

Function 0486536F Relevance: 4.8, Strings: 3, Instructions: 1071COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9
|ti, xrefs: 048653CE
2k, xrefs: 0486541D

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok$|ti$2k
API String ID: 0-1839758915
Opcode ID: baf483951a7ac325a48d32cc68a0cca1af1ca073d975b544ff20117005d9e5c4
Instruction ID: 7679429d4b154878ef3936e3df5467cda61f61efa0bdd1b0cda3394682658775
Opcode Fuzzy Hash: baf483951a7ac325a48d32cc68a0cca1af1ca073d975b544ff20117005d9e5c4
Instruction Fuzzy Hash: 9AC25C74A11228CFDB25EF30D864BA9B7B6FB49304F1051EAD909A7399DB359E81CF40

Function 04865459 Relevance: 2.3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04866AF9

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: a6b6bd66668f353305df12b06f9a6ba58fdd7ddd916ab18c349fbd239c8c4a5a
Instruction ID: 06c7845bfd52d91c18638ec99044ccc184e70373f36403b0a43d3e5be161508c
Opcode Fuzzy Hash: a6b6bd66668f353305df12b06f9a6ba58fdd7ddd916ab18c349fbd239c8c4a5a
Instruction Fuzzy Hash: 48C25D74A11228CFDB25EF30D864BA9B7B6FB49304F1051EAD909A7399DB359E81CF40

Function 048636F0 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

Ni, xrefs: 04863780
Ni, xrefs: 04863719
Ni, xrefs: 0486375D
Ni, xrefs: 048637BA

Memory Dump Source

Source File: 00000000.00000002.1704558204.0000000004860000.00000040.00000800.00020000.00000000.sdmp, Offset: 04860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4860000_L363rVr7oL.jbxd

Similarity

API ID:
String ID: Ni$Ni$Ni$Ni
API String ID: 0-3444230515
Opcode ID: bdb8e23f767431c327899e0907f0cfa42c83f54d941bf60ea7d1482e3bbaa1af
Instruction ID: 7e2b459aba52ffb23476246f109365755d2959beb9406bfd08739bbae3a808da
Opcode Fuzzy Hash: bdb8e23f767431c327899e0907f0cfa42c83f54d941bf60ea7d1482e3bbaa1af
Instruction Fuzzy Hash: DD213E757002199FEB20DE6DC880BAA73EAFF89204F140968E906EB744EB70F9058790

Analysis Process: server.exePID: 3272, Parent PID: 5480COMMON

Execution Graph

Execution Coverage:	35.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.7%
Total number of Nodes:	105
Total number of Limit Nodes:	6

Executed Functions

Function 04804290 Relevance: 7.0, Strings: 4, Instructions: 1950COMMON

Download Yara Rule

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
@, xrefs: 04804C1C

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: @$\Ok$|t`$2k
API String ID: 0-2856431566
Opcode ID: 29e5752d04f03fdb379c640ba17f45706aaff9547e99927bef49268561710b3f
Instruction ID: d0894e70a2e7f2f394a617f1c6840054584524d0ebce16e6292e0acaad27f0d9
Opcode Fuzzy Hash: 29e5752d04f03fdb379c640ba17f45706aaff9547e99927bef49268561710b3f
Instruction Fuzzy Hash: 78233B74A012288FDB29EF34DD54BADB7B2BB48304F1041E9D509AB3A4DB395E85DF90

Function 04804283 Relevance: 6.8, Strings: 4, Instructions: 1754COMMON

Download Yara Rule

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: 990e06b6edc0ea1255811377b4c7dac40de1d6610a9c01138567a582b0771d95
Instruction ID: dd4ae0cc2cd6022c2f3fc4c44b08d0802281578b0ac68223e4f7d55503f2c3fb
Opcode Fuzzy Hash: 990e06b6edc0ea1255811377b4c7dac40de1d6610a9c01138567a582b0771d95
Instruction Fuzzy Hash: 75133A74A01228CFDB29EF34DC54BA9B7B6BB48304F1041E9D909AB3A4DB355E85DF90

Function 048044E9 Relevance: 6.6, Strings: 4, Instructions: 1624
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: 40ce6298261b57b80310d25fb4c98f4053d4874933eff7f9e69564d04da9fc9d
Instruction ID: 906ede1db51b47090e2a70139f05b6427e367694b482291ade890ba9c4a8a24a
Opcode Fuzzy Hash: 40ce6298261b57b80310d25fb4c98f4053d4874933eff7f9e69564d04da9fc9d
Instruction Fuzzy Hash: 57033B74A012288FDB29EF34DC54BA9B7B6FB48304F1041E9D909AB3A4DB355E85DF90

Function 04804628 Relevance: 6.6, Strings: 4, Instructions: 1579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: b3bea73f0c7634071485193ee2d715cbf97d86249583a9a7d61a1a3b5f871e2b
Instruction ID: 9c63e157ff20b65fa13f372a8be5a401adc7c756466deefa5d12bfb99dd4c6b1
Opcode Fuzzy Hash: b3bea73f0c7634071485193ee2d715cbf97d86249583a9a7d61a1a3b5f871e2b
Instruction Fuzzy Hash: 8E033A74A012288FDB29EF34DC54BA9B7B6FB48304F1041E9D909AB3A4DB355E85DF90

Function 04804707 Relevance: 6.5, Strings: 4, Instructions: 1544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: 9497dc3e4f56e16ee51ec803156463f8a29bf72bb368f976110e8d53f1663f79
Instruction ID: d884bf748159f2c8e41c55eeed8e317a3da983bedb24ffe5751a9d2765202a25
Opcode Fuzzy Hash: 9497dc3e4f56e16ee51ec803156463f8a29bf72bb368f976110e8d53f1663f79
Instruction Fuzzy Hash: 72F23B74A012288FDB29EF34DC54BA9B7B6FB48304F1041E9D909AB3A4DB355E85DF90

Function 048047CC Relevance: 6.5, Strings: 4, Instructions: 1513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: e9378bd18c73d1e75746c36ddcfd1292f99b673270eb90ca8690863c7f650076
Instruction ID: 0fa11b678fcdea0257a92c19c8716e49d472d5b7949b3e4ba7d07044f9e28842
Opcode Fuzzy Hash: e9378bd18c73d1e75746c36ddcfd1292f99b673270eb90ca8690863c7f650076
Instruction Fuzzy Hash: 54F24C74A012288FDB29EF34DC54BA9B7B6FB48304F1041E9D909AB3A4DB355E85DF90

Function 0480492E Relevance: 6.5, Strings: 4, Instructions: 1456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: eac47323d8b81854d89670008a9dc5ab40c2fc7336d82c34dc5f725868cb531b
Instruction ID: 6210a3473e7d9d3ff7b2d4bf935e639338dcc5942e99e2a541fa3592908ba536
Opcode Fuzzy Hash: eac47323d8b81854d89670008a9dc5ab40c2fc7336d82c34dc5f725868cb531b
Instruction Fuzzy Hash: 85F25B74A012288FDB29EF34DC54BA9B7B6FB48304F1041E9D909AB3A4DB355E85DF90

Function 04804995 Relevance: 6.4, Strings: 4, Instructions: 1447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: 447af135bdc0b537ed0eab5111be60c8772a441673a7f1a6783579211a8043f0
Instruction ID: 947710ef531e3360f25fafa7870ce730e5aa899aa88e8511a3f70aedc7002c4d
Opcode Fuzzy Hash: 447af135bdc0b537ed0eab5111be60c8772a441673a7f1a6783579211a8043f0
Instruction Fuzzy Hash: 48F25B74A012288FDB29EF34DC54BA9B7B2FB48304F1041E9D909AB3A4DB355E85DF90

Function 048049F1 Relevance: 6.4, Strings: 4, Instructions: 1440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1
, xrefs: 04804BBC

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: $\Ok$|t`$2k
API String ID: 0-3379087335
Opcode ID: c16c0fe4d4a70773657a21643d2c3ef09eaab26cebeca6da9edfba137030c610
Instruction ID: b8f9d5b566b242f5903a794f65ba39d609bef7223b2c900002d36f99aa822740
Opcode Fuzzy Hash: c16c0fe4d4a70773657a21643d2c3ef09eaab26cebeca6da9edfba137030c610
Instruction Fuzzy Hash: 0CF25B74A012288FDB29EF34DC54BA9B7B6FB48304F1041E9D909AB3A4DB355E85DF90

Function 04804C87 Relevance: 5.1, Strings: 3, Instructions: 1362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok$|t`$2k
API String ID: 0-2445104521
Opcode ID: 9f7236d88dd68a5043a96996e3994c10193fafd73cbce13287ce67c91eddaa8a
Instruction ID: f3959018e9ea9fb531a2b23dd1478e614a9868add6b2d0392a28999291defebb
Opcode Fuzzy Hash: 9f7236d88dd68a5043a96996e3994c10193fafd73cbce13287ce67c91eddaa8a
Instruction Fuzzy Hash: BBE26C74A012288FDB29EF34DC54BA9B7B2FB48304F1041E9D949AB3A4DB355E85DF90

Function 04804F27 Relevance: 5.0, Strings: 3, Instructions: 1245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok$|t`$2k
API String ID: 0-2445104521
Opcode ID: 394a82703d2b2d02ae78c30ee41ad4c857c04a9d95f3df530c2f7dd9e9a1771d
Instruction ID: d6e56dff7c350865eb8594335e5548839f0973cd544626688002e829af26c693
Opcode Fuzzy Hash: 394a82703d2b2d02ae78c30ee41ad4c857c04a9d95f3df530c2f7dd9e9a1771d
Instruction Fuzzy Hash: CAD25B74A012288FDB29EF34DC54BA9B7B6BB48304F1041E9D849AB3A4DB355E85DF90

Function 04804F95 Relevance: 5.0, Strings: 3, Instructions: 1236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok$|t`$2k
API String ID: 0-2445104521
Opcode ID: b1a9b65a5c6e700fc56b1c94a76764a30f8b270eeb992cfec698880d6e0e8f74
Instruction ID: 0b28ac7e1b3c307adb58bd54e927cc43711509b94da1769942ed2b25ccbcd288
Opcode Fuzzy Hash: b1a9b65a5c6e700fc56b1c94a76764a30f8b270eeb992cfec698880d6e0e8f74
Instruction Fuzzy Hash: 54D25B74A012288FDB29EF34DC54BA9B7B6BB48304F1041E9D849AB3A4DB355E85DF90

Function 04804FF8 Relevance: 5.0, Strings: 3, Instructions: 1230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok$|t`$2k
API String ID: 0-2445104521
Opcode ID: 0c97ccf3d4a4090ef66cae8f6d2ff22c631f2594eace58928e1e8580fd567c7b
Instruction ID: 982ec03a32ab3800e888410ea7ffe382e4fbf3899be4583764b5a7298e5ba220
Opcode Fuzzy Hash: 0c97ccf3d4a4090ef66cae8f6d2ff22c631f2594eace58928e1e8580fd567c7b
Instruction Fuzzy Hash: 7CD25C74A012288FDB29EF30DC54BA9B7B6FB48304F1041E9D849AB3A4DB355E85DF90

Function 048050DB Relevance: 5.0, Strings: 3, Instructions: 1210COMMON

Download Yara Rule

Strings

|t`, xrefs: 048053C6
2k, xrefs: 04805415
\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok$|t`$2k
API String ID: 0-2445104521
Opcode ID: 95f0c85c603d357af95f5c4bc7c32e2f9d6852590f425e4b51e62a8332d7cc69
Instruction ID: a8da851df1ee2902d9177d2e386024639a2320cece4c2269f4526496193d6e2e
Opcode Fuzzy Hash: 95f0c85c603d357af95f5c4bc7c32e2f9d6852590f425e4b51e62a8332d7cc69
Instruction Fuzzy Hash: E9D25C74A012288FDB29EF30DC54BA9B7B6FB48304F1041E9D949AB3A4DB355E85DF90

Function 048074C7 Relevance: 1.9, Strings: 1, Instructions: 663COMMON

Download Yara Rule

Strings

L.k, xrefs: 04807533

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: L.k
API String ID: 0-2092726967
Opcode ID: 4b0ac8b70ae218475bf85eb938fb93e94298ed56fdbb5e516fa5815c98282f78
Instruction ID: 4cc935129584b77e6f72c59dc802bba293d89262d1dfd00ecc84cdfae602f88e
Opcode Fuzzy Hash: 4b0ac8b70ae218475bf85eb938fb93e94298ed56fdbb5e516fa5815c98282f78
Instruction Fuzzy Hash: 4F2223717012528BDB69EB32D85067E73E2AF88205B14CA75E491CB2D5EF38FC86D790

Function 04807900 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fc6009fc61a6a8ba466f7285746f5a93e9494752d7e977923bcf2629ebe97d
Instruction ID: 7877761a2fe9bdb3487ab63b9c81725026c1cc554004e69f8256f8e33ac1ca3b
Opcode Fuzzy Hash: 41fc6009fc61a6a8ba466f7285746f5a93e9494752d7e977923bcf2629ebe97d
Instruction Fuzzy Hash: 4F023873A112629BDB699F328C5047DB361BB80355341CA76E891DB2E8EF39FC81C780

Function 048000B8 Relevance: 5.1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 04800154
5]!l^, xrefs: 04800194, 04800199
E]!l^, xrefs: 04800140, 04800145
2k, xrefs: 048001A8

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: 2k$2k$5]!l^$E]!l^
API String ID: 0-690951654
Opcode ID: 891efd4cf2a2f5222ab008b380097b41208f2f1a309c0a4bd7a2f51396dc31a0
Instruction ID: f449d574d6e0b07b9efe50fbc8e8ade6f0441b7ed70744feb32c1da9ddd380d5
Opcode Fuzzy Hash: 891efd4cf2a2f5222ab008b380097b41208f2f1a309c0a4bd7a2f51396dc31a0
Instruction Fuzzy Hash: E431C9316043445FD719AB74A812A6E7B6B5BC2254F1449AED001DF3D2DF7A5C4AC3A2

Function 04800118 Relevance: 5.1, Strings: 4, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 04800154
5]!l^, xrefs: 04800194, 04800199
E]!l^, xrefs: 04800140, 04800145
2k, xrefs: 048001A8

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: 2k$2k$5]!l^$E]!l^
API String ID: 0-690951654
Opcode ID: 2c047701b600f6285a0b0340083576cbfdf7334f1f85b8ef3f68043889dc248a
Instruction ID: 284bcc3459bfd8a9d0ed4e54ff5faf3cad998ce494444de2206ef056855c64fd
Opcode Fuzzy Hash: 2c047701b600f6285a0b0340083576cbfdf7334f1f85b8ef3f68043889dc248a
Instruction Fuzzy Hash: 061106317042404FC319AB78B416ABE3B9B5BC624872459BED002CF396CFBD4C4A87E2

Function 04807FC0 Relevance: 4.0, Strings: 3, Instructions: 287COMMON

Download Yara Rule

Strings

}X!l^, xrefs: 048082C0
2k, xrefs: 048082C8
tf, xrefs: 048082B9

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: tf$2k$}X!l^
API String ID: 0-537504357
Opcode ID: 553cf4ac6466e4365cdcf8b3f175be9a263339329b39e69bc35bf8a8c5835d02
Instruction ID: 98097a3048ad5442d8a5f5395886add16d5f11238e10acf5574010c98c09b048
Opcode Fuzzy Hash: 553cf4ac6466e4365cdcf8b3f175be9a263339329b39e69bc35bf8a8c5835d02
Instruction Fuzzy Hash: C6A1D4307106118BD768FB38CC45B6D32A2AB84354F548A78D421DB3E5EF39ED86DBA0

Function 048001FC Relevance: 3.8, Strings: 3, Instructions: 33COMMON

Download Yara Rule

Strings

XR`, xrefs: 04800260
P`, xrefs: 04800216
HQ`, xrefs: 0480023B

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: HQ`$XR`$P`
API String ID: 0-1163813928
Opcode ID: 40dad9ad5b16def053ed0ccd9e3b94752208c1262120c6ff8ef831bc26a0e644
Instruction ID: 23ac1405e8a0674a7eb75f29abfdd352024b4cf96a00de5e0877e5ed4a7c0621
Opcode Fuzzy Hash: 40dad9ad5b16def053ed0ccd9e3b94752208c1262120c6ff8ef831bc26a0e644
Instruction Fuzzy Hash: 810144706116029BC724EF38D54C95E7BE2AFC4309B40892CA14587764DF3899489B83

Function 048037F9 Relevance: 3.0, Strings: 2, Instructions: 499COMMON

Download Yara Rule

Strings

\Ok, xrefs: 0480387D
2k, xrefs: 04803C26

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: c8f4df9d6a86e2b27f33c3512f78e6028d5f1434c06481f76101cdd594b7ed63
Instruction ID: b673a212bf81fb9a9d35745b41722c99255ca167e771650a5e30f311eb4f36bc
Opcode Fuzzy Hash: c8f4df9d6a86e2b27f33c3512f78e6028d5f1434c06481f76101cdd594b7ed63
Instruction Fuzzy Hash: 9D324D70A00218CFCB28EF74D955BEDB7B2AF49308F1045A9D509AB3A4DB395E86DF50

Function 04805622 Relevance: 2.2, Strings: 1, Instructions: 963COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 6351136cda879a7624ce45eeff3e9c3b73fe2e4f9a8540a29bbd38fd004bd00e
Instruction ID: 303f8603aa9c7cf95ef5fa6ce1c0d7a7207b6ba71e7961f9548e025785f85dbf
Opcode Fuzzy Hash: 6351136cda879a7624ce45eeff3e9c3b73fe2e4f9a8540a29bbd38fd004bd00e
Instruction Fuzzy Hash: ADB20C74A01228CFDB29EF20DC54BA9B7B6FB48304F5041E9D9096B3A8DB355E85DF90

Function 04805799 Relevance: 2.2, Strings: 1, Instructions: 906COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 3c8d09e047c5e0cd97067f2f73038d90b9ad6689e9f66afb633b6eeaea8304c7
Instruction ID: 5bdad5b775a7dcb325f0e0bd1aee18b706e068a855561b47a7878a38467ac157
Opcode Fuzzy Hash: 3c8d09e047c5e0cd97067f2f73038d90b9ad6689e9f66afb633b6eeaea8304c7
Instruction Fuzzy Hash: 13A21C74A01228CFDB29EF20DC54BA9B7B6FB48304F5041E9D909AB3A4DB355E85DF90

Function 04805910 Relevance: 2.1, Strings: 1, Instructions: 849COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: df7186d98b47f24c8509c2602ca684e7af90646b751da90d2a3e57dd1ab2fcfa
Instruction ID: 46ebf520cb67bef4fe85fcd93735dc7d3ff7f695d66c706a28161182f19bd531
Opcode Fuzzy Hash: df7186d98b47f24c8509c2602ca684e7af90646b751da90d2a3e57dd1ab2fcfa
Instruction Fuzzy Hash: 71921C74A01228CFDB29EF20DC54BA9B7B6FB48304F1041E9D909AB3A4DB355E85DF90

Function 04805A87 Relevance: 2.0, Strings: 1, Instructions: 792COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 667bf8eb0a0672f962c9326755fa9f2df2d0fd8f6c1b291c9c7a8f111cce5d53
Instruction ID: f3b83025001d36d79f0ad233b1fdeb7a05999d9479df88f6dd11507adb2046b8
Opcode Fuzzy Hash: 667bf8eb0a0672f962c9326755fa9f2df2d0fd8f6c1b291c9c7a8f111cce5d53
Instruction Fuzzy Hash: 2D922D74A01228CFDB29EF34D854BA9B7B6FB48304F1041E9D909AB3A4DB359E85DF50

Function 04805BFE Relevance: 2.0, Strings: 1, Instructions: 735COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 96ca0d9847c2ddeedcf43d1a8285d9058f4357f035e28f5f60d97fac7411c2d6
Instruction ID: 5f0e570cee5cd55000e30d7bc6e0a8f1cf8bc69f527258c74f5ee070d131629e
Opcode Fuzzy Hash: 96ca0d9847c2ddeedcf43d1a8285d9058f4357f035e28f5f60d97fac7411c2d6
Instruction Fuzzy Hash: 8F823C74A01228CFDB29EF34D854BA9B7B6FB48304F1041E9D909AB3A4DB359E85DF50

Function 04805EEC Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 6d89f43c8c289714c9f8a853d87015362e91e4baa0b03913e7bbf425cabff507
Instruction ID: 901e9d2174aaa1343a0721d4ccdea6ecbfe5ad544491ce658fd51f6cd924d2b3
Opcode Fuzzy Hash: 6d89f43c8c289714c9f8a853d87015362e91e4baa0b03913e7bbf425cabff507
Instruction Fuzzy Hash: D5623B74A01228CFDB29EF34D854BA9B7B6BB48304F5041E9D909AB3A4DB359F85DF40

Function 048061DA Relevance: 1.8, Strings: 1, Instructions: 507COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 1a22e6d7dc0c42b668719fbc1e7c6751c1b95cca87444fa4a2eba016f9218269
Instruction ID: 295c063b9425a5704035303aa127295fac0d114226b3b470201d335ad9ecdf52
Opcode Fuzzy Hash: 1a22e6d7dc0c42b668719fbc1e7c6751c1b95cca87444fa4a2eba016f9218269
Instruction Fuzzy Hash: D6424074A01228CFDB29EF34D954BA9B7B6FB48304F1041E9D909AB3A4DB359E85DF40

Function 04872BBE Relevance: 1.6, APIs: 1, Instructions: 129registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04872CB9

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e0b808c0fa7177dd19e45a28d47bf51fff642865f4fe34daae0a5f8f15b52dcb
Instruction ID: 41694563d3536f860a781cdf6e009e6319f7cad2147a3b6c1491afc9c944171f
Opcode Fuzzy Hash: e0b808c0fa7177dd19e45a28d47bf51fff642865f4fe34daae0a5f8f15b52dcb
Instruction Fuzzy Hash: B8418175109380AFE7238B258C54F66BFB8EF56214F0849DAE985CB563D224E809CB71

Function 0487131B Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 048713E2

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 88e91f13da743fc83fb01f39337bb614a9cdbd2040689eb9a48d01d3f139267b
Instruction ID: 18c8f5880b2f5c6b742631b2db17a79b54f26c1227e8c92c640e95b67f434531
Opcode Fuzzy Hash: 88e91f13da743fc83fb01f39337bb614a9cdbd2040689eb9a48d01d3f139267b
Instruction Fuzzy Hash: A9318B6510E3C06FD3138B258C65A61BFB4EF47610B0E45CBE8C48F6A3D229A909D7B2

Function 048067A1 Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 8e4339f9fc6a076d8cd9ff395c6f603571977456005acb16a4191ad81435676b
Instruction ID: beecd63dd4082a11fc6a29463d000dba0fe73c91084e0db7928f3c4e0491379e
Opcode Fuzzy Hash: 8e4339f9fc6a076d8cd9ff395c6f603571977456005acb16a4191ad81435676b
Instruction Fuzzy Hash: AF024E74A00228CFDB29EF34D854BA9B7B6BF49304F5041E9D909AB3A4DB359E85DF40

Function 04871E40 Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04871EDD

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: af8413b7849e09495c265f598675890209a99252b1e5eb8f17deccb6164d10bf
Instruction ID: 603d70ce0b830a9e5a1c8e4c9abfe1329e7d6bde64150947bb5251822b73f4cf
Opcode Fuzzy Hash: af8413b7849e09495c265f598675890209a99252b1e5eb8f17deccb6164d10bf
Instruction Fuzzy Hash: FE31E5725047806FE722CF54DD55B96BFB8EF06310F08899AE984CB693D335A909CB71

Function 04871834 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 048718CB

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 74dc86cb096802aa2d718f44bb2e3969294127a432ce4feb467c67c5adfde6e1
Instruction ID: a7dfe35799ee62ad6e360cd7f45873f001199274ddb3c52db100a904bab60aaa
Opcode Fuzzy Hash: 74dc86cb096802aa2d718f44bb2e3969294127a432ce4feb467c67c5adfde6e1
Instruction Fuzzy Hash: DF318F72604344AFE7228B65DC45FA6BBBCEF05210F0889AAE944DB652D234E949CB61

Function 04870E8C Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04870F20

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4b144e2b8af9c27bbf78f41b4468e047228950b0400ab82546531b77ce528696
Instruction ID: 38cfedb41db2835bc34299b2386b8b799dcfed38098ccb1c91caaa5342d4dbe1
Opcode Fuzzy Hash: 4b144e2b8af9c27bbf78f41b4468e047228950b0400ab82546531b77ce528696
Instruction Fuzzy Hash: FB21F6B25093806FE7128F64DC55B96BFB8EF07324F0884DAE944CF193D264A909CB71

Function 04872C1E Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04872CB9

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 95ee330df42f1bf463fc3a1949afef9d63459879a43652a9992e6bdd6555f383
Instruction ID: e46b67bef8346bb1223de22129580974934d5dedd22bf4a4463bd2b0dd35042a
Opcode Fuzzy Hash: 95ee330df42f1bf463fc3a1949afef9d63459879a43652a9992e6bdd6555f383
Instruction Fuzzy Hash: 4021CE76600704AEE7318F19CD44FA7BBECEF18214F088A6AE945C7652E730E5088AB1

Function 04872F60 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04872FF7

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 0beb5769048c4d44681141a10c2bd8e21372a9768c0d91ac732c86fb559d6ff5
Instruction ID: f9e1d83ee7d9cfc09802e927e7e0a4e170c5727cdbe807818955d7eebd7781a6
Opcode Fuzzy Hash: 0beb5769048c4d44681141a10c2bd8e21372a9768c0d91ac732c86fb559d6ff5
Instruction Fuzzy Hash: BC21A5715097846FE713CB24DC55B96BFA8AF46214F0888DBE988CF293D235A909C772

Function 04872E91 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04872F20

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 060626f5bfa630f69fbf8b44d4975d4a43e26111d7c8767d6e51a8dcb0090ed6
Instruction ID: 7da782b4d4938371131adbb019027a3787c16b95ef2cde25dddae9e38621492e
Opcode Fuzzy Hash: 060626f5bfa630f69fbf8b44d4975d4a43e26111d7c8767d6e51a8dcb0090ed6
Instruction Fuzzy Hash: 94215C755087809FD722CF25DC54A52BFF8EF06210B0889DAED88CB262D275E909DB61

Function 048719EA Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04871A7E

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b40dac2c66666f12d5edeed8e0cbfe02b5eb8ea5d0a1997d6c4b50b42e0569a3
Instruction ID: d56d29e025289ec95129676ba31b7ddf80a28d88efca95a9ab69d5fe241dcedc
Opcode Fuzzy Hash: b40dac2c66666f12d5edeed8e0cbfe02b5eb8ea5d0a1997d6c4b50b42e0569a3
Instruction Fuzzy Hash: 7E21B171404380AFE722CF59DD48F96FBF8EF09224F04899EE9858B652D375E548CB61

Function 0487140E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0487149A

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 8211825d0e1179be4209ddf49b5c193ea2e6b3a02af470c58167a80cff94b349
Instruction ID: d1419a30c1c6550cd2050c933ca359de96230986db9420041543b59fe583f749
Opcode Fuzzy Hash: 8211825d0e1179be4209ddf49b5c193ea2e6b3a02af470c58167a80cff94b349
Instruction Fuzzy Hash: DD21B171409380AFE722CF55DD49F96FFF8EF05220F08899EE9858B692D375A508CB61

Function 04871742 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 048717E0

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6c36cc3ad66aa80ccbcd225359d7109e5ea440c49151a4dc5d1a270ea5a5fb61
Instruction ID: da730f10312307905c9bfc14238ab82e13ddacf083ba423d610932b820af2824
Opcode Fuzzy Hash: 6c36cc3ad66aa80ccbcd225359d7109e5ea440c49151a4dc5d1a270ea5a5fb61
Instruction Fuzzy Hash: 24219F72504740AFE722CF55DC48F66BBF8EF45710F08899AE9458B692D324E908CB61

Function 0487185A Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 048718CB

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: d4a9706c8a7b42f981ab5c2610989afb0b348d6d9eb029ae3dbf7d6c2c3e8572
Instruction ID: 9b882806886f57e7483ac676e012b0e2ea7c9685d3f6608a2b5af46e3a6ff969
Opcode Fuzzy Hash: d4a9706c8a7b42f981ab5c2610989afb0b348d6d9eb029ae3dbf7d6c2c3e8572
Instruction Fuzzy Hash: 5C21DA71600204AFE721DF65DC45F6AF7ECEF04214F04896AE945DB741D734E5488A71

Function 0487305F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 048730DB

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5d7fd87fb6b44fb8f0fdea774e1bd5d13daf1d7331db0f4dda5df4e22b17b349
Instruction ID: 60c92a70e5fc926b95855b1d2d8fa5a3baa38b62030efd2220ae93403c052b92
Opcode Fuzzy Hash: 5d7fd87fb6b44fb8f0fdea774e1bd5d13daf1d7331db0f4dda5df4e22b17b349
Instruction Fuzzy Hash: 1821D7715043806FD722CF55DC44FA7BFA8EF45210F0889AAF944DB252D274A908CBB1

Function 04872DCB Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04872E47

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: eca4e2abdfa4bb103481797366ec0114f90083bce275615a87c0533edd77191d
Instruction ID: 0defb2ba00bab442e2f044b3e28a6d080264d90fb821a8dc0a7ee2f488dcb68f
Opcode Fuzzy Hash: eca4e2abdfa4bb103481797366ec0114f90083bce275615a87c0533edd77191d
Instruction Fuzzy Hash: D621C6715093806FD722CF54DC84F96BFB8EF45210F08899AE9449F252C274A508C7B1

Function 0487201B Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0487209A

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 118a40c531ca9a2f9bd6f6d1221c9947d1a8f789bf5fdcb90dd0b9fd890d7273
Instruction ID: dd79584d556a5b513d96ff282ee080c2f30c49a1f476ecc415dc7636c26fe0a2
Opcode Fuzzy Hash: 118a40c531ca9a2f9bd6f6d1221c9947d1a8f789bf5fdcb90dd0b9fd890d7273
Instruction Fuzzy Hash: DA21B375009780AFDB228F60DC84A92BFF4EF06310F0989DAE9858F162D375A849DB71

Function 04871A0A Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04871A7E

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 8895190afa03ace2754544070d4bfe289deb295a110551eee53a69f880fcb5b1
Instruction ID: 73c0ee4fa19139d247d5b4609830a2c77021521c0e9a7672fec2439ceb354767
Opcode Fuzzy Hash: 8895190afa03ace2754544070d4bfe289deb295a110551eee53a69f880fcb5b1
Instruction Fuzzy Hash: 6021C071500204AFE721CF59DD89FAAFBE8EF08224F048A69E9458BB51D375F548CBB1

Function 0487142E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 0487149A

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 8dd99fa28b73d55aeb30dee75b60d5189f9919f59ee838706335b967423076d6
Instruction ID: 572c0a7df424433cf3fd45adeae60aecd4ddd221ce1d937bbc05db226c92a67a
Opcode Fuzzy Hash: 8dd99fa28b73d55aeb30dee75b60d5189f9919f59ee838706335b967423076d6
Instruction Fuzzy Hash: 4C21D471500200AFE731CF59DD45BA6FBE8EF08324F048969E9458AB52D375F408CBB1

Function 048722DA Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04872363

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e34d2dbbc489978ad96e7716dd1cc6aecbf3c0f5959e1774f7dd6947929f3867
Instruction ID: 6a99c5a001293805fcbb51c9b42b53a9af6193fa615ba9eaf33b927685448ecd
Opcode Fuzzy Hash: e34d2dbbc489978ad96e7716dd1cc6aecbf3c0f5959e1774f7dd6947929f3867
Instruction Fuzzy Hash: E51106711043406FE721CB15DC85FA6FFB8DF06320F0484DAF9848F292D274A948CB62

Function 0487176E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 048717E0

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 38f65627c68f2149da022ac86386b83d73a3dc50fe4c884abfd66a15cce0f999
Instruction ID: 8e7279cb4b22e6a7aa5a6b9aa4e545503fb8600352d93c9a6d7b2a04a6dcc61d
Opcode Fuzzy Hash: 38f65627c68f2149da022ac86386b83d73a3dc50fe4c884abfd66a15cce0f999
Instruction Fuzzy Hash: 08119072600604AFE731CF55DD48BA6B7E8EF04614F048A6AE945CAB51D774E4088AB1

Function 04871E7E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04871EDD

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: ac66ae856de05d5bb894051796f4420078ff5cd3bf368d620f794d86d355c60f
Instruction ID: 129673fdeb4d99265faec21ea8f5e6f8dfee3a8b82273a45d1e58c88cbc3619c
Opcode Fuzzy Hash: ac66ae856de05d5bb894051796f4420078ff5cd3bf368d620f794d86d355c60f
Instruction Fuzzy Hash: 6A11D672500304AFE7218F55DD44BAAB7A8EF04314F04896AED45CBA51D775E5488BB1

Function 04873082 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 048730DB

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 17a67ec320fe1c35a69602b834a480fd56c0cc46266256b72753ed693af8ce70
Instruction ID: 0cbb8b0c8bc3c9f640e54fd90fb8fa73157b0515cbf3701b253950d09a8c37e3
Opcode Fuzzy Hash: 17a67ec320fe1c35a69602b834a480fd56c0cc46266256b72753ed693af8ce70
Instruction Fuzzy Hash: DB11B271600204AFEB21CF59DD45BAAB7A8EF04224F04896AED05DB641D775E948CAB2

Function 04872F9E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04872FF7

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 17a67ec320fe1c35a69602b834a480fd56c0cc46266256b72753ed693af8ce70
Instruction ID: 9b6a17c3500fca00c2a08b8cec27bf644c8ff11a375755bce59e44eb5b56581c
Opcode Fuzzy Hash: 17a67ec320fe1c35a69602b834a480fd56c0cc46266256b72753ed693af8ce70
Instruction Fuzzy Hash: 67110472600304AFE721CF59DD44BAAB7A8DF04224F0489AAED05CB641D775E908CAB1

Function 04870ECA Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04870F20

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 948f8c858dc441f794eeaedbff7b4c895e0d6af99b6e22cca21660ea7877ffc6
Instruction ID: 00105af4270cecd4f4f3f2e0561d657a099f073f934030c806a20415a2fba49a
Opcode Fuzzy Hash: 948f8c858dc441f794eeaedbff7b4c895e0d6af99b6e22cca21660ea7877ffc6
Instruction Fuzzy Hash: 4E11E371600204AFEB21CF19DD85BAAB7A8DF05724F04C97AED05CB681D774E908CAB1

Function 04872DEE Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,8D865A99,00000000,00000000,00000000,00000000), ref: 04872E47

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: b99725dbc7bfee0013da6036c54893c122fd001d27d30a3bf854d164a06c5df6
Instruction ID: 8b402aaf6e4ec701d11b438ece12fabbce1e187d1d197c2f0a46f499277dd21e
Opcode Fuzzy Hash: b99725dbc7bfee0013da6036c54893c122fd001d27d30a3bf854d164a06c5df6
Instruction Fuzzy Hash: E411E772500304AFE721CF54DD84BA6F7A8EF04324F1489A6ED45CB642D375E5088AB1

Function 048722FA Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04872363

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 87eff6b1d2891cdbd07b9c8abf62a1678f81731614f769b37a23782410d13baf
Instruction ID: 9077d01c067b1bf2ef7aaa01de811485eaeca3ac70ffd1d9b085dfb7ea8d2f57
Opcode Fuzzy Hash: 87eff6b1d2891cdbd07b9c8abf62a1678f81731614f769b37a23782410d13baf
Instruction Fuzzy Hash: 89112571100304AEE720CB19DD85FB6FBA8DF04724F1489A9FD458A791D2B9F948CAA2

Function 04872ECA Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04872F20

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 0f84750d3c3bcfe24114d82d67809125b0547318ff4f7d5320b862fbee90fcb7
Instruction ID: 0135f7705153f7ad6e821c2e1b29b6a245ac9d3dda94cf022282ec766fcdf37f
Opcode Fuzzy Hash: 0f84750d3c3bcfe24114d82d67809125b0547318ff4f7d5320b862fbee90fcb7
Instruction Fuzzy Hash: 22116D756002049FDB30CF19D884B62F7E8EF04320F0889AAED49CB652D335E948CBA1

Function 0487204E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0487209A

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 0a06293931b832bed2e6212cd56f90451c2b5a84c4d0a6951cf4d1714e79d16a
Instruction ID: dc0d3d1f0e47b652bc8b2091401a746c245133313f65932af423630c6be73b60
Opcode Fuzzy Hash: 0a06293931b832bed2e6212cd56f90451c2b5a84c4d0a6951cf4d1714e79d16a
Instruction Fuzzy Hash: B9115E755006049FDB20DF55D984B66FBE4EF08210F0889AAEE458B652D336E458DF72

Function 04871392 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 048713E2

Memory Dump Source

Source File: 00000001.00000002.4142672568.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4870000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4500b4e4b2e3c294c50851778003f1c01be923a82a48d294c3b6a945ccc1a13d
Instruction ID: 243ef92ecf68ddc5523b1201ffa0c377cb8d00b3ef6847c3d44719bfceb30f4e
Opcode Fuzzy Hash: 4500b4e4b2e3c294c50851778003f1c01be923a82a48d294c3b6a945ccc1a13d
Instruction Fuzzy Hash: 3301A771500201AFD250DF1ADD45F66FBE8FB88A20F148159EC085B742D771F515CBE5

Function 04806902 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04806AF1

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: f5fd9019b69aea13c1ff7093fd59b74fa440be710a674eb0632ec3c17af73600
Instruction ID: 71a5adcfef73f64212504385a52b85812ef4a170cf0b7b1118f42064e7a25319
Opcode Fuzzy Hash: f5fd9019b69aea13c1ff7093fd59b74fa440be710a674eb0632ec3c17af73600
Instruction Fuzzy Hash: 30D14C74A00228CFDB29EF34D894BADB7B6BB49304F5041E9D509AB3A4DB359E85DF40

Function 04809A11 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

K`, xrefs: 04809A1C

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: K`
API String ID: 0-535225705
Opcode ID: df18527639de5ae37b1817dc69e53487f778aae1959aa45a3f4ba35c2223579a
Instruction ID: 9410d75c172a7781be4921b143a01e153eea3cc21ccf2c5143c6d0414abbf219
Opcode Fuzzy Hash: df18527639de5ae37b1817dc69e53487f778aae1959aa45a3f4ba35c2223579a
Instruction Fuzzy Hash: FBB17F70F002149FCB1DEF75E85095E77B2AF88248B608529E4169B3B9DF39AC46DB90

Function 048039B7 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

2k, xrefs: 04803C26

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: 735e337ee51f85ac60204933f10a71bf6e80a2c82f47efe79765681eb70b7de3
Instruction ID: 5273e9b066f76cd026879f8441dad71d4e8b25a646ebfadc614aef51c2dbf2a6
Opcode Fuzzy Hash: 735e337ee51f85ac60204933f10a71bf6e80a2c82f47efe79765681eb70b7de3
Instruction Fuzzy Hash: E8815E30A00218CFDB28EFB4C855BEDB7B2AF45308F5085A9D505AB3A4DB795E85CF51

Function 04803B10 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

2k, xrefs: 04803C26

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: 0f55cc068bd631b67385da2e907ab8cf9087c28bf873045055be18dbad2b7b24
Instruction ID: d7ebb5571cc8c53ff2796559d8a666e04ad83b384c3ed7eca86525aa09b58d41
Opcode Fuzzy Hash: 0f55cc068bd631b67385da2e907ab8cf9087c28bf873045055be18dbad2b7b24
Instruction Fuzzy Hash: 34416E30A00218CFDB28EFB5C955BEDB7B2BF44308F5045AAD405AB2A4DB795E85CF61

Function 048083F8 Relevance: 1.2, Instructions: 1243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d67561f914c99c45b7698108baa8d3ab2930cf6f804f0ca9919e9e4e31dbf6
Instruction ID: 18c34cf2b9fbf450da61e88e2b05cf7a50bd06f1566585467c83c640b0a33fd6
Opcode Fuzzy Hash: 17d67561f914c99c45b7698108baa8d3ab2930cf6f804f0ca9919e9e4e31dbf6
Instruction Fuzzy Hash: A7C2E374700164CFDB24AB29D904BB977F6AB4C304F40856B9849D77A8DB349E8AFF60

Function 048084AE Relevance: 1.1, Instructions: 1076COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eab00c98529b73d21aa4efae2df34edb2301839ff3392e645088cd7004d33c3
Instruction ID: e170b597f8718446e6b102de0b87d463499c9cb77fd9e5a3fdf55f54aea407e0
Opcode Fuzzy Hash: 8eab00c98529b73d21aa4efae2df34edb2301839ff3392e645088cd7004d33c3
Instruction Fuzzy Hash: 1192C5707101648BDF256B29DD14BA937A7AB4D308F00846B9489D77E8CB389DD9FFA0

Function 048084DD Relevance: 1.1, Instructions: 1075COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e095cc7efdf43b8daa138c10b0214c0340e43e62105a6ee6bf36e40d88f3ff1
Instruction ID: c38bf962dd1a4e7cc31818e8b97ea7140891257fe6289448f2078188909d62ba
Opcode Fuzzy Hash: 8e095cc7efdf43b8daa138c10b0214c0340e43e62105a6ee6bf36e40d88f3ff1
Instruction Fuzzy Hash: 8C92C5707101648BDF256B29DD14BA937E7AB4D308F00846B9489D77A8CB389DD9FFA0

Function 04809A20 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94aac4779161f3fc2a10947c1c9367f60fdfffee2ea802f7b2f0a750a41a384f
Instruction ID: 1df9e2cca9f5b3f40761f0436ec2d532909a18b98e7b189f2bc0f688a5aefda5
Opcode Fuzzy Hash: 94aac4779161f3fc2a10947c1c9367f60fdfffee2ea802f7b2f0a750a41a384f
Instruction Fuzzy Hash: 6CD18270F00214DFCB0DEFB5E85195D77B6AF48248B608529E4129B3B9DF39AC46DB90

Function 04809B25 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58d51e26a0b924496ef1fd35a41f7e347646078d7fea368cfdf3ba416887e23
Instruction ID: 08b1481e7b64a09053f2d66c3eedb5fd5b1c41fb58ba7e958630eb9c8b8e57da
Opcode Fuzzy Hash: b58d51e26a0b924496ef1fd35a41f7e347646078d7fea368cfdf3ba416887e23
Instruction Fuzzy Hash: 2F917F74F00214DFCB0DAFB5E85195D73B2AF88248B608529E4129B3B8DF39AC56DF90

Function 04809B83 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9deb386cc21b41f6ed5f6f53f0f97c5d09018e57721209d8b4d32865bbae13
Instruction ID: 2f32bbf49f7988beb7a6005e6c0be5ac999c032cfd461026a744b0ddd2ea1c3b
Opcode Fuzzy Hash: 9f9deb386cc21b41f6ed5f6f53f0f97c5d09018e57721209d8b4d32865bbae13
Instruction Fuzzy Hash: B8918E74F00214DFCB0DAF75E85195D73B2AF88308B608529E4129B3B8DF39AC56EB90

Function 04809BD3 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d865f6bebcb15722b83fc486e4afb24d0d535e388a6c53342e332e61fb819a8e
Instruction ID: d0da7963b48bcec1aea21a75ca76d67918cb7b62c7b5a821fb62b08325b08591
Opcode Fuzzy Hash: d865f6bebcb15722b83fc486e4afb24d0d535e388a6c53342e332e61fb819a8e
Instruction Fuzzy Hash: EE818E74B00214DFCB1DAF75E85196D73B2AF88308B608529E4159B3B8DF39AC56EF90

Function 04803DC4 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9c540e17a62046f886d1bb34e6679a849d477d24d17d23674327648cd24cb3
Instruction ID: 6dd978216dcef09b83eba167d885aed24c8e607fdeecd94f22cb47bc1a5002b2
Opcode Fuzzy Hash: 1b9c540e17a62046f886d1bb34e6679a849d477d24d17d23674327648cd24cb3
Instruction Fuzzy Hash: CDA1E874A00228CFCB29EF74D985AECB7B2FB48308F5045A9D9099B364DB355E86DF50

Function 0480839E Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5043dc3e9dbd3672220f8ae0663bf1c511bbe7fbd1cf973956499b6bfdc60849
Instruction ID: 2b522be1a58ba66ed39072f2162321cd18260ad8951136ecd51ed0c24fbdcd0d
Opcode Fuzzy Hash: 5043dc3e9dbd3672220f8ae0663bf1c511bbe7fbd1cf973956499b6bfdc60849
Instruction Fuzzy Hash: 9241D3307106118FDB68BB35DC017A932A6AF84354F58CA64D451DB2E5EF38EA86DB60

Function 048002C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca660bd3064c18cccf87fb5fe75067e23742e621317a14e84213e9601f18b0aa
Instruction ID: 04a80f75fdd96b8eba7f0f310a19e73586585eafc7db56b5bb422e199b573f4e
Opcode Fuzzy Hash: ca660bd3064c18cccf87fb5fe75067e23742e621317a14e84213e9601f18b0aa
Instruction Fuzzy Hash: 1231C630B002114FC754BB78D811BAE33AA9B89218F50883AD505DB7E9DF7CAD4AD7D1

Function 0480A320 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3be9fc37ec578a0b23238e60a4ee519f332fb5c6fa91aa22bbd7b631a2ed24
Instruction ID: b0b7d1463fe9ca5ae80e0792b2193dfe0bc44da5d406c5a443fc387edc556182
Opcode Fuzzy Hash: 7a3be9fc37ec578a0b23238e60a4ee519f332fb5c6fa91aa22bbd7b631a2ed24
Instruction Fuzzy Hash: 5D31D334B102059FDB18CF39D858BAEBBF6AF88204F148539E405EB7E1DB74A9058B91

Function 04800007 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ec97ef569397a842e7d83fe6a00a6b583b1c1d4ab47178ef09f770866602c8
Instruction ID: fbf31898b9f29e3803cf5399ffd988af05b2f4c8baff71718521a43c295154e8
Opcode Fuzzy Hash: 12ec97ef569397a842e7d83fe6a00a6b583b1c1d4ab47178ef09f770866602c8
Instruction Fuzzy Hash: 7F11B3A584E7C04FD3139334AC25B513FB45B17209F4E45DBC480CE1E7D6AC590AD762

Function 048000A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5451a3bf6683748a7409ac0eb936114bbeee82f0051f5157a60fc6917864ebf6
Instruction ID: ae1500a585906c5801848257a0a05e8470c87f7676df5a8a9835771b6cb34d2a
Opcode Fuzzy Hash: 5451a3bf6683748a7409ac0eb936114bbeee82f0051f5157a60fc6917864ebf6
Instruction Fuzzy Hash: E9F0C231A00304ABEB08EFB0DC02B6E7BB6EF82624F1086AEE145DB1D1DA765841C780

Function 0480A2DF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bab07e25082e1a1550d557c5518b8f0c56c3f11191e502b1a56e68757b265f5
Instruction ID: 159822c1a4c88e03dde452bd92714afe31fbbe5892fb49d1abc61329697edae3
Opcode Fuzzy Hash: 0bab07e25082e1a1550d557c5518b8f0c56c3f11191e502b1a56e68757b265f5
Instruction Fuzzy Hash: E1E0CD7050E3445FCB469BB46C560FC7FB48A1311070046E7D845C3593D8651D868343

Function 048041F8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df31303fc8397cda169255e454ecae18353d2f0b02f8b00ff0beb2e9a736ac4
Instruction ID: 1af68f7b0614a822b0aa75a87a14afcbc74809817019392c8c7d40e14199f2ca
Opcode Fuzzy Hash: 2df31303fc8397cda169255e454ecae18353d2f0b02f8b00ff0beb2e9a736ac4
Instruction Fuzzy Hash: 2DE08670A5A2849FCB41CF78AD118D97FF49B1321470141DBD445D76A2EA711E09CB12

Function 04803010 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3e6c2549cbacb65bc8fb0ec1bed2ff30438cf3d9f04f0b0c4021636b90f6d0
Instruction ID: e9d1df8226c1e384946f8fe0a38409cc5c3af319d0fe66226a85e3b0c778ee3d
Opcode Fuzzy Hash: ae3e6c2549cbacb65bc8fb0ec1bed2ff30438cf3d9f04f0b0c4021636b90f6d0
Instruction Fuzzy Hash: 36E012342193948FC71A277894288293FB6AF8710935908FFD5894B266DF3AD442CB51

Function 005F23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4139859566.00000000005F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5f2000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff95c5f9c6fc36238700698eb9b01726c32dbe9d5523951b0a8d082863542586
Instruction ID: 7b472b42a87cd6ae24875edb92e658df286feb550c0a5cdf743cdb6f4ee605c6
Opcode Fuzzy Hash: ff95c5f9c6fc36238700698eb9b01726c32dbe9d5523951b0a8d082863542586
Instruction Fuzzy Hash: 49D02EB92006C04FD7238A0CC2A8FA53BD4BB40708F4A04FAA800CB763C7ACD880C200

Function 005F23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4139859566.00000000005F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5f2000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaae0fa311ad4c86f859423541cf0c72a3bc5d13c222dab4552ca4420fbc387
Instruction ID: 380c36a2314e3a6a892535ccbcae8bdb4fd1b2fc90d4930acf3c73cb152d917b
Opcode Fuzzy Hash: aaaae0fa311ad4c86f859423541cf0c72a3bc5d13c222dab4552ca4420fbc387
Instruction Fuzzy Hash: 66D05EB42006854FC725DA0CC2D4F693BD4BF40714F0648E8AC108B7A6C7ACD8C4DA00

Function 04804208 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4142647125.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4800000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea90b9626cc5bbcb5a260b43ece43e6eb9405b80655b87a7ca4c5b4e7068a24
Instruction ID: 0da392dcd333ee26bba9c71b9425549e57eeb1cc7eca049a3fdca91428b79237
Opcode Fuzzy Hash: bea90b9626cc5bbcb5a260b43ece43e6eb9405b80655b87a7ca4c5b4e7068a24
Instruction Fuzzy Hash: D6D0C971A15208EF8B44EFA8DD4589EB7F9EB46215B1041AAA809D3750EE325E04DB81

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report L363rVr7oL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Notepad.exe

C:\Program Files (x86)\Explower.exe

C:\Users\user\AppData\Local\Explower.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\L363rVr7oL.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a4d560bc8f8d17c6ed1c6a55f7fdc2b2Windows Update.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

C:\Users\user\AppData\Local\Temp\server.exe

Windows Analysis Report
L363rVr7oL.exe