Edit tour

Windows Analysis Report
gReXLT7XjR.exe

Overview

General Information

Sample name:	gReXLT7XjR.exe renamed because original name is a hash value
Original sample name:	4951d592fac59ef8005596d2af5d116b.exe
Analysis ID:	1580723
MD5:	4951d592fac59ef8005596d2af5d116b
SHA1:	536ab7195afefb6c8947a86b10adb8d0461f7115
SHA256:	ef022f571bbe78532cc1d1d09689470933f629f5e3775929f8926d7b51e6f122
Tags:	exenjratRATuser-abuse_ch
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Disables the Windows task manager (taskmgr)

Disables zone checking for all users

Drops PE files to the startup folder

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

gReXLT7XjR.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\gReXLT7XjR.exe" MD5: 4951D592FAC59EF8005596D2AF5D116B)

server.exe (PID: 7564 cmdline: "C:\Windows\server.exe" MD5: 4951D592FAC59EF8005596D2AF5D116B)

netsh.exe (PID: 7636 cmdline: netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7724 cmdline: netsh firewall delete allowedprogram "C:\Windows\server.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7732 cmdline: netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

445c7762b8f06a76352fcac2e22df159Windows Update.exe (PID: 7932 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe" MD5: 4951D592FAC59EF8005596D2AF5D116B)

445c7762b8f06a76352fcac2e22df159Windows Update.exe (PID: 7996 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe" MD5: 4951D592FAC59EF8005596D2AF5D116B)

DeadMom.exe (PID: 8152 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe" MD5: 4951D592FAC59EF8005596D2AF5D116B)

Microsoft Corporation.exe (PID: 4544 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe" MD5: 4951D592FAC59EF8005596D2AF5D116B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "445c7762b8f06a76352fcac2e22df159", "Install Dir": "Kaspersky Anti-Virus Flash", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
gReXLT7XjR.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
gReXLT7XjR.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a79:$a2: SEE_MASK_NOZONECHECKS 0x1571b:$a3: Download ERROR 0x15ccb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c58:$a5: netsh firewall delete allowedprogram "
gReXLT7XjR.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ccb:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137e4:$s1: winmgmts:\\.\root\SecurityCenter2 0x15739:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1571b:$s6: Download ERROR 0x137a6:$s8: Select * From AntiVirusProduct
gReXLT7XjR.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x154bd:$: set cdaudio door closed 0x15481:$: set cdaudio door open 0x15ce1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
gReXLT7XjR.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a79:$reg: SEE_MASK_NOZONECHECKS 0x156ff:$msg: Execute ERROR 0x15753:$msg: Execute ERROR 0x15ccb:$ping: cmd.exe /c ping 0 -n 2 & del
gReXLT7XjR.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a79:$a2: SEE_MASK_NOZONECHECKS 0x1571b:$a3: Download ERROR 0x15ccb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c58:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ccb:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137e4:$s1: winmgmts:\\.\root\SecurityCenter2 0x15739:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1571b:$s6: Download ERROR 0x137a6:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x154bd:$: set cdaudio door closed 0x15481:$: set cdaudio door open 0x15ce1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a79:$reg: SEE_MASK_NOZONECHECKS 0x156ff:$msg: Execute ERROR 0x15753:$msg: Execute ERROR 0x15ccb:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\DeadMom.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a79:$a2: SEE_MASK_NOZONECHECKS 0x1571b:$a3: Download ERROR 0x15ccb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c58:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Local\DeadMom.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ccb:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137e4:$s1: winmgmts:\\.\root\SecurityCenter2 0x15739:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1571b:$s6: Download ERROR 0x137a6:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Local\DeadMom.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x154bd:$: set cdaudio door closed 0x15481:$: set cdaudio door open 0x15ce1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Local\DeadMom.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a79:$reg: SEE_MASK_NOZONECHECKS 0x156ff:$msg: Execute ERROR 0x15753:$msg: Execute ERROR 0x15ccb:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Local\DeadMom.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Windows\server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Windows\server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a79:$a2: SEE_MASK_NOZONECHECKS 0x1571b:$a3: Download ERROR 0x15ccb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c58:$a5: netsh firewall delete allowedprogram "
C:\Windows\server.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ccb:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137e4:$s1: winmgmts:\\.\root\SecurityCenter2 0x15739:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1571b:$s6: Download ERROR 0x137a6:$s8: Select * From AntiVirusProduct
C:\Windows\server.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x154bd:$: set cdaudio door closed 0x15481:$: set cdaudio door open 0x15ce1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Windows\server.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a79:$reg: SEE_MASK_NOZONECHECKS 0x156ff:$msg: Execute ERROR 0x15753:$msg: Execute ERROR 0x15ccb:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Windows\server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Kaspersky Anti-Virus Flash.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a79:$a2: SEE_MASK_NOZONECHECKS 0x1571b:$a3: Download ERROR 0x15ccb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c58:$a5: netsh firewall delete allowedprogram "
C:\Kaspersky Anti-Virus Flash.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ccb:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137e4:$s1: winmgmts:\\.\root\SecurityCenter2 0x15739:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1571b:$s6: Download ERROR 0x137a6:$s8: Select * From AntiVirusProduct
C:\Kaspersky Anti-Virus Flash.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x154bd:$: set cdaudio door closed 0x15481:$: set cdaudio door open 0x15ce1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Kaspersky Anti-Virus Flash.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x13caa:$marker4: netsh firewall add allowedprogram 0x13c58:$marker25: netsh firewall delete allowedprogram " 0x13748:$marker29: SGFjS2Vk 0x15f8f:$key5: [PrintScreen] 0x15cdb:$del3: /c ping 0 -n 2 & del 0x137a6:$sup2: Select * From AntiVirusProduct 0x1362e:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x136ec:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14304:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14388:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14ec8:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x1511a:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x156ff:$msg5: Execute ERROR 0x15753:$msg5: Execute ERROR 0x1571b:$msg6: Download ERROR 0x157d1:$msg7: Update ERROR 0x1580b:$msg7: Update ERROR 0x157eb:$msg8: Updating To 0x15a79:$reg1: SEE_MASK_NOZONECHECKS
C:\Kaspersky Anti-Virus Flash.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x13caa:$marker4: netsh firewall add allowedprogram 0x13c58:$marker25: netsh firewall delete allowedprogram " 0x13748:$marker29: SGFjS2Vk 0x15f8f:$key5: [PrintScreen] 0x15cdb:$del3: /c ping 0 -n 2 & del 0x137a6:$sup2: Select * From AntiVirusProduct 0x1362e:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x136ec:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14304:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14388:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14ec8:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x1511a:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x156ff:$msg5: Execute ERROR 0x15753:$msg5: Execute ERROR 0x1571b:$msg6: Download ERROR 0x157d1:$msg7: Update ERROR 0x1580b:$msg7: Update ERROR 0x157eb:$msg8: Updating To 0x15a79:$reg1: SEE_MASK_NOZONECHECKS
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Kaspersky Anti-Virus Flash.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a79:$a2: SEE_MASK_NOZONECHECKS 0x1571b:$a3: Download ERROR 0x15ccb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c58:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ccb:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137e4:$s1: winmgmts:\\.\root\SecurityCenter2 0x15739:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1571b:$s6: Download ERROR 0x137a6:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x13caa:$marker4: netsh firewall add allowedprogram 0x13c58:$marker25: netsh firewall delete allowedprogram " 0x13748:$marker29: SGFjS2Vk 0x15f8f:$key5: [PrintScreen] 0x15cdb:$del3: /c ping 0 -n 2 & del 0x137a6:$sup2: Select * From AntiVirusProduct 0x1362e:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x136ec:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14304:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14388:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14ec8:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x1511a:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x156ff:$msg5: Execute ERROR 0x15753:$msg5: Execute ERROR 0x1571b:$msg6: Download ERROR 0x157d1:$msg7: Update ERROR 0x1580b:$msg7: Update ERROR 0x157eb:$msg8: Updating To 0x15a79:$reg1: SEE_MASK_NOZONECHECKS
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x13caa:$marker4: netsh firewall add allowedprogram 0x13c58:$marker25: netsh firewall delete allowedprogram " 0x13748:$marker29: SGFjS2Vk 0x15f8f:$key5: [PrintScreen] 0x15cdb:$del3: /c ping 0 -n 2 & del 0x137a6:$sup2: Select * From AntiVirusProduct 0x1362e:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x136ec:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14304:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14388:$sup3: Software\Microsoft\Windows\CurrentVersion\Run 0x14ec8:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x1511a:$sup5: SOFTWARE\Microsoft\Windows NT\CurrentVersion 0x156ff:$msg5: Execute ERROR 0x15753:$msg5: Execute ERROR 0x1571b:$msg6: Download ERROR 0x157d1:$msg7: Update ERROR 0x1580b:$msg7: Update ERROR 0x157eb:$msg8: Updating To 0x15a79:$reg1: SEE_MASK_NOZONECHECKS
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a79:$reg: SEE_MASK_NOZONECHECKS 0x156ff:$msg: Execute ERROR 0x15753:$msg: Execute ERROR 0x15ccb:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
Click to see the 61 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115f2:$a1: get_Registry 0x15a99:$a2: SEE_MASK_NOZONECHECKS 0x1573b:$a3: Download ERROR 0x15ceb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c78:$a5: netsh firewall delete allowedprogram "
00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a99:$reg: SEE_MASK_NOZONECHECKS 0x1571f:$msg: Execute ERROR 0x15773:$msg: Execute ERROR 0x15ceb:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x15879:$a2: SEE_MASK_NOZONECHECKS 0x1551b:$a3: Download ERROR 0x15acb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13a58:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15879:$reg: SEE_MASK_NOZONECHECKS 0x154ff:$msg: Execute ERROR 0x15553:$msg: Execute ERROR 0x15acb:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000002.4112787916.00000000034F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: gReXLT7XjR.exe PID: 7496	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: server.exe PID: 7564	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: 445c7762b8f06a76352fcac2e22df159Windows Update.exe PID: 7996	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: DeadMom.exe PID: 8152	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Microsoft Corporation.exe PID: 4544	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.gReXLT7XjR.exe.510000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.gReXLT7XjR.exe.510000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a79:$a2: SEE_MASK_NOZONECHECKS 0x1571b:$a3: Download ERROR 0x15ccb:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c58:$a5: netsh firewall delete allowedprogram "
0.0.gReXLT7XjR.exe.510000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15ccb:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137e4:$s1: winmgmts:\\.\root\SecurityCenter2 0x15739:$s3: Executed As 0x124f0:$s5: Stub.exe 0x1571b:$s6: Download ERROR 0x137a6:$s8: Select * From AntiVirusProduct
0.0.gReXLT7XjR.exe.510000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x154bd:$: set cdaudio door closed 0x15481:$: set cdaudio door open 0x15ce1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
0.0.gReXLT7XjR.exe.510000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a79:$reg: SEE_MASK_NOZONECHECKS 0x156ff:$msg: Execute ERROR 0x15753:$msg: Execute ERROR 0x15ccb:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.gReXLT7XjR.exe.510000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c58:$s1: netsh firewall delete allowedprogram 0x13caa:$s2: netsh firewall add allowedprogram 0x15ccb:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ff:$s4: Execute ERROR 0x15753:$s4: Execute ERROR 0x1571b:$s5: Download ERROR
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\server.exe, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Suricata Signatures

ET MALWARE Bladabindi/njRAT CnC Command (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T19:27:01.311411+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49730	147.185.221.18	42876	TCP
2024-12-25T19:27:04.782030+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49731	147.185.221.18	42876	TCP
2024-12-25T19:27:08.629357+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49732	147.185.221.18	42876	TCP
2024-12-25T19:27:12.521222+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49733	147.185.221.18	42876	TCP
2024-12-25T19:27:16.605337+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49736	147.185.221.18	42876	TCP
2024-12-25T19:27:20.441669+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49740	147.185.221.18	42876	TCP
2024-12-25T19:27:24.279456+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49742	147.185.221.18	42876	TCP
2024-12-25T19:27:28.109295+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49743	147.185.221.18	42876	TCP
2024-12-25T19:27:31.985928+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49744	147.185.221.18	42876	TCP
2024-12-25T19:27:35.816452+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49745	147.185.221.18	42876	TCP
2024-12-25T19:27:39.671891+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49746	147.185.221.18	42876	TCP
2024-12-25T19:27:43.502795+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49747	147.185.221.18	42876	TCP
2024-12-25T19:27:47.381066+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49748	147.185.221.18	42876	TCP
2024-12-25T19:27:51.416703+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49749	147.185.221.18	42876	TCP
2024-12-25T19:27:55.256662+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49751	147.185.221.18	42876	TCP
2024-12-25T19:27:59.110643+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49763	147.185.221.18	42876	TCP
2024-12-25T19:28:02.984793+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49769	147.185.221.18	42876	TCP
2024-12-25T19:28:06.673988+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49779	147.185.221.18	42876	TCP
2024-12-25T19:28:10.290338+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49789	147.185.221.18	42876	TCP
2024-12-25T19:28:13.798520+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49796	147.185.221.18	42876	TCP
2024-12-25T19:28:17.435879+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49806	147.185.221.18	42876	TCP
2024-12-25T19:28:20.742541+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49813	147.185.221.18	42876	TCP
2024-12-25T19:28:23.895442+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49823	147.185.221.18	42876	TCP
2024-12-25T19:28:27.015106+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49830	147.185.221.18	42876	TCP
2024-12-25T19:28:30.031254+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49836	147.185.221.18	42876	TCP
2024-12-25T19:28:56.960211+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49893	147.185.221.18	42876	TCP
2024-12-25T19:28:59.828732+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49902	147.185.221.18	42876	TCP
2024-12-25T19:29:02.596571+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49909	147.185.221.18	42876	TCP
2024-12-25T19:29:05.380948+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49915	147.185.221.18	42876	TCP
2024-12-25T19:29:08.464794+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49921	147.185.221.18	42876	TCP
2024-12-25T19:29:11.059281+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49927	147.185.221.18	42876	TCP
2024-12-25T19:29:13.563423+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49933	147.185.221.18	42876	TCP
2024-12-25T19:29:16.067195+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49940	147.185.221.18	42876	TCP
2024-12-25T19:29:18.553373+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49947	147.185.221.18	42876	TCP
2024-12-25T19:29:21.005336+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49954	147.185.221.18	42876	TCP
2024-12-25T19:29:23.394832+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49960	147.185.221.18	42876	TCP
2024-12-25T19:29:25.827890+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49966	147.185.221.18	42876	TCP
2024-12-25T19:29:28.796450+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49972	147.185.221.18	42876	TCP
2024-12-25T19:29:31.016652+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49977	147.185.221.18	42876	TCP
2024-12-25T19:29:33.308343+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49983	147.185.221.18	42876	TCP
2024-12-25T19:29:35.532168+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49989	147.185.221.18	42876	TCP
2024-12-25T19:29:37.713030+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49995	147.185.221.18	42876	TCP
2024-12-25T19:29:39.891898+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50001	147.185.221.18	42876	TCP
2024-12-25T19:29:42.069274+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50007	147.185.221.18	42876	TCP
2024-12-25T19:29:44.227018+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50013	147.185.221.18	42876	TCP
2024-12-25T19:29:46.487974+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50019	147.185.221.18	42876	TCP
2024-12-25T19:29:48.630910+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50024	147.185.221.18	42876	TCP
2024-12-25T19:29:50.710170+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50030	147.185.221.18	42876	TCP
2024-12-25T19:29:52.763223+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50036	147.185.221.18	42876	TCP
2024-12-25T19:29:54.859952+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50040	147.185.221.18	42876	TCP
2024-12-25T19:29:56.943978+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50046	147.185.221.18	42876	TCP
2024-12-25T19:29:59.035178+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50051	147.185.221.18	42876	TCP
2024-12-25T19:30:01.060620+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50054	147.185.221.18	42876	TCP
2024-12-25T19:30:03.136417+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50055	147.185.221.18	42876	TCP
2024-12-25T19:30:05.144405+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50056	147.185.221.18	42876	TCP
2024-12-25T19:30:07.114444+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50057	147.185.221.18	42876	TCP
2024-12-25T19:30:09.158428+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50058	147.185.221.18	42876	TCP
2024-12-25T19:30:11.116363+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50059	147.185.221.18	42876	TCP
2024-12-25T19:30:13.048197+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50060	147.185.221.18	42876	TCP
2024-12-25T19:30:15.023097+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50061	147.185.221.18	42876	TCP
2024-12-25T19:30:17.017306+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50062	147.185.221.18	42876	TCP
2024-12-25T19:30:18.970100+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50063	147.185.221.18	42876	TCP
2024-12-25T19:30:21.064635+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50064	147.185.221.18	42876	TCP
2024-12-25T19:30:23.067903+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50065	147.185.221.18	42876	TCP
2024-12-25T19:30:24.909726+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50066	147.185.221.18	42876	TCP
2024-12-25T19:30:26.800683+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50067	147.185.221.18	42876	TCP
2024-12-25T19:30:28.697052+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50068	147.185.221.18	42876	TCP
2024-12-25T19:30:30.621315+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50069	147.185.221.18	42876	TCP
2024-12-25T19:30:32.505468+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50070	147.185.221.18	42876	TCP
2024-12-25T19:30:34.395945+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50071	147.185.221.18	42876	TCP
2024-12-25T19:30:36.284419+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50072	147.185.221.18	42876	TCP
2024-12-25T19:30:38.189590+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50073	147.185.221.18	42876	TCP
2024-12-25T19:30:40.087676+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50074	147.185.221.18	42876	TCP
2024-12-25T19:30:42.007971+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50075	147.185.221.18	42876	TCP
2024-12-25T19:30:43.888278+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50076	147.185.221.18	42876	TCP
2024-12-25T19:30:45.782984+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50077	147.185.221.18	42876	TCP
2024-12-25T19:30:47.647823+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50078	147.185.221.18	42876	TCP
2024-12-25T19:30:49.548519+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50079	147.185.221.18	42876	TCP
2024-12-25T19:30:51.409873+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50080	147.185.221.18	42876	TCP
2024-12-25T19:30:53.339640+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50081	147.185.221.18	42876	TCP
2024-12-25T19:30:55.232783+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50082	147.185.221.18	42876	TCP
2024-12-25T19:30:57.111374+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50083	147.185.221.18	42876	TCP
2024-12-25T19:30:58.988654+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	50084	147.185.221.18	42876	TCP

ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T19:27:01.311411+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49730	147.185.221.18	42876	TCP
2024-12-25T19:27:04.782030+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49731	147.185.221.18	42876	TCP
2024-12-25T19:27:08.629357+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49732	147.185.221.18	42876	TCP
2024-12-25T19:27:12.521222+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49733	147.185.221.18	42876	TCP
2024-12-25T19:27:16.605337+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49736	147.185.221.18	42876	TCP
2024-12-25T19:27:20.441669+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49740	147.185.221.18	42876	TCP
2024-12-25T19:27:24.279456+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49742	147.185.221.18	42876	TCP
2024-12-25T19:27:28.109295+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49743	147.185.221.18	42876	TCP
2024-12-25T19:27:31.985928+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49744	147.185.221.18	42876	TCP
2024-12-25T19:27:35.816452+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49745	147.185.221.18	42876	TCP
2024-12-25T19:27:39.671891+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49746	147.185.221.18	42876	TCP
2024-12-25T19:27:43.502795+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49747	147.185.221.18	42876	TCP
2024-12-25T19:27:47.381066+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49748	147.185.221.18	42876	TCP
2024-12-25T19:27:51.416703+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49749	147.185.221.18	42876	TCP
2024-12-25T19:27:55.256662+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49751	147.185.221.18	42876	TCP
2024-12-25T19:27:59.110643+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49763	147.185.221.18	42876	TCP
2024-12-25T19:28:02.984793+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49769	147.185.221.18	42876	TCP
2024-12-25T19:28:06.673988+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49779	147.185.221.18	42876	TCP
2024-12-25T19:28:10.290338+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49789	147.185.221.18	42876	TCP
2024-12-25T19:28:13.798520+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49796	147.185.221.18	42876	TCP
2024-12-25T19:28:17.435879+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49806	147.185.221.18	42876	TCP
2024-12-25T19:28:20.742541+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49813	147.185.221.18	42876	TCP
2024-12-25T19:28:23.895442+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49823	147.185.221.18	42876	TCP
2024-12-25T19:28:27.015106+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49830	147.185.221.18	42876	TCP
2024-12-25T19:28:30.031254+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49836	147.185.221.18	42876	TCP
2024-12-25T19:28:56.960211+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49893	147.185.221.18	42876	TCP
2024-12-25T19:28:59.828732+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49902	147.185.221.18	42876	TCP
2024-12-25T19:29:02.596571+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49909	147.185.221.18	42876	TCP
2024-12-25T19:29:05.380948+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49915	147.185.221.18	42876	TCP
2024-12-25T19:29:08.464794+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49921	147.185.221.18	42876	TCP
2024-12-25T19:29:11.059281+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49927	147.185.221.18	42876	TCP
2024-12-25T19:29:13.563423+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49933	147.185.221.18	42876	TCP
2024-12-25T19:29:16.067195+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49940	147.185.221.18	42876	TCP
2024-12-25T19:29:18.553373+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49947	147.185.221.18	42876	TCP
2024-12-25T19:29:21.005336+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49954	147.185.221.18	42876	TCP
2024-12-25T19:29:23.394832+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49960	147.185.221.18	42876	TCP
2024-12-25T19:29:25.827890+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49966	147.185.221.18	42876	TCP
2024-12-25T19:29:28.796450+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49972	147.185.221.18	42876	TCP
2024-12-25T19:29:31.016652+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49977	147.185.221.18	42876	TCP
2024-12-25T19:29:33.308343+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49983	147.185.221.18	42876	TCP
2024-12-25T19:29:35.532168+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49989	147.185.221.18	42876	TCP
2024-12-25T19:29:37.713030+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49995	147.185.221.18	42876	TCP
2024-12-25T19:29:39.891898+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50001	147.185.221.18	42876	TCP
2024-12-25T19:29:42.069274+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50007	147.185.221.18	42876	TCP
2024-12-25T19:29:44.227018+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50013	147.185.221.18	42876	TCP
2024-12-25T19:29:46.487974+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50019	147.185.221.18	42876	TCP
2024-12-25T19:29:48.630910+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50024	147.185.221.18	42876	TCP
2024-12-25T19:29:50.710170+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50030	147.185.221.18	42876	TCP
2024-12-25T19:29:52.763223+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50036	147.185.221.18	42876	TCP
2024-12-25T19:29:54.859952+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50040	147.185.221.18	42876	TCP
2024-12-25T19:29:56.943978+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50046	147.185.221.18	42876	TCP
2024-12-25T19:29:59.035178+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50051	147.185.221.18	42876	TCP
2024-12-25T19:30:01.060620+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50054	147.185.221.18	42876	TCP
2024-12-25T19:30:03.136417+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50055	147.185.221.18	42876	TCP
2024-12-25T19:30:05.144405+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50056	147.185.221.18	42876	TCP
2024-12-25T19:30:07.114444+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50057	147.185.221.18	42876	TCP
2024-12-25T19:30:09.158428+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50058	147.185.221.18	42876	TCP
2024-12-25T19:30:11.116363+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50059	147.185.221.18	42876	TCP
2024-12-25T19:30:13.048197+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50060	147.185.221.18	42876	TCP
2024-12-25T19:30:15.023097+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50061	147.185.221.18	42876	TCP
2024-12-25T19:30:17.017306+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50062	147.185.221.18	42876	TCP
2024-12-25T19:30:18.970100+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50063	147.185.221.18	42876	TCP
2024-12-25T19:30:21.064635+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50064	147.185.221.18	42876	TCP
2024-12-25T19:30:23.067903+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50065	147.185.221.18	42876	TCP
2024-12-25T19:30:24.909726+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50066	147.185.221.18	42876	TCP
2024-12-25T19:30:26.800683+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50067	147.185.221.18	42876	TCP
2024-12-25T19:30:28.697052+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50068	147.185.221.18	42876	TCP
2024-12-25T19:30:30.621315+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50069	147.185.221.18	42876	TCP
2024-12-25T19:30:32.505468+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50070	147.185.221.18	42876	TCP
2024-12-25T19:30:34.395945+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50071	147.185.221.18	42876	TCP
2024-12-25T19:30:36.284419+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50072	147.185.221.18	42876	TCP
2024-12-25T19:30:38.189590+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50073	147.185.221.18	42876	TCP
2024-12-25T19:30:40.087676+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50074	147.185.221.18	42876	TCP
2024-12-25T19:30:42.007971+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50075	147.185.221.18	42876	TCP
2024-12-25T19:30:43.888278+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50076	147.185.221.18	42876	TCP
2024-12-25T19:30:45.782984+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50077	147.185.221.18	42876	TCP
2024-12-25T19:30:47.647823+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50078	147.185.221.18	42876	TCP
2024-12-25T19:30:49.548519+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50079	147.185.221.18	42876	TCP
2024-12-25T19:30:51.409873+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50080	147.185.221.18	42876	TCP
2024-12-25T19:30:53.339640+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50081	147.185.221.18	42876	TCP
2024-12-25T19:30:55.232783+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50082	147.185.221.18	42876	TCP
2024-12-25T19:30:57.111374+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50083	147.185.221.18	42876	TCP
2024-12-25T19:30:58.988654+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	50084	147.185.221.18	42876	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T19:27:32.633274+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49744	147.185.221.18	42876	TCP
2024-12-25T19:27:45.137550+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49747	147.185.221.18	42876	TCP
2024-12-25T19:27:52.530998+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49749	147.185.221.18	42876	TCP
2024-12-25T19:28:00.056725+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49763	147.185.221.18	42876	TCP
2024-12-25T19:28:03.452295+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49769	147.185.221.18	42876	TCP
2024-12-25T19:28:06.916756+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49779	147.185.221.18	42876	TCP
2024-12-25T19:29:12.016440+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49927	147.185.221.18	42876	TCP
2024-12-25T19:29:17.797691+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49940	147.185.221.18	42876	TCP
2024-12-25T19:29:19.739101+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49947	147.185.221.18	42876	TCP
2024-12-25T19:29:21.315622+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49954	147.185.221.18	42876	TCP
2024-12-25T19:29:23.636305+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49960	147.185.221.18	42876	TCP
2024-12-25T19:29:26.234384+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49966	147.185.221.18	42876	TCP
2024-12-25T19:29:29.140402+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49972	147.185.221.18	42876	TCP
2024-12-25T19:29:31.258357+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49977	147.185.221.18	42876	TCP
2024-12-25T19:29:42.317709+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	50007	147.185.221.18	42876	TCP
2024-12-25T19:30:05.384843+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	50056	147.185.221.18	42876	TCP
2024-12-25T19:30:15.803404+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	50061	147.185.221.18	42876	TCP
2024-12-25T19:30:48.135698+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	50078	147.185.221.18	42876	TCP
2024-12-25T19:30:56.291850+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	50082	147.185.221.18	42876	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gReXLT7XjR.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\DeadMom.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\DeadMom.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\DeadMom.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\DeadMom.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\DeadMom.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\server.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\DeadMom.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Kaspersky Anti-Virus Flash.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\DeadMom.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.0.gReXLT7XjR.exe.510000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "445c7762b8f06a76352fcac2e22df159", "Install Dir": "Kaspersky Anti-Virus Flash", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for dropped file

Source: C:\Kaspersky Anti-Virus Flash.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\DeadMom.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\DeadMom.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\DeadMom.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DeadMom.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\Favorites\DeadMom.exe	ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\DeadMom.exe	ReversingLabs: Detection: 86%
Source: C:\Windows\server.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: gReXLT7XjR.exe	ReversingLabs: Detection: 86%
Source: gReXLT7XjR.exe	Virustotal: Detection: 70%			Perma Link

Yara detected Njrat

Source: Yara match	File source: gReXLT7XjR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4112787916.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gReXLT7XjR.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 445c7762b8f06a76352fcac2e22df159Windows Update.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DeadMom.exe PID: 8152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\server.exe, type: DROPPED
Source: Yara match	File source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\DeadMom.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DeadMom.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DeadMom.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DeadMom.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DeadMom.exe	Joe Sandbox ML: detected
Source: C:\Windows\server.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DeadMom.exe	Joe Sandbox ML: detected
Source: C:\Kaspersky Anti-Virus Flash.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DeadMom.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: gReXLT7XjR.exe

Joe Sandbox ML: detected

Source: gReXLT7XjR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: gReXLT7XjR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: gReXLT7XjR.exe, Usb1.cs	.Net Code: infect
Source: server.exe.0.dr, Usb1.cs	.Net Code: infect
Source: DeadMom.exe.1.dr, Usb1.cs	.Net Code: infect
Source: DeadMom.exe0.1.dr, Usb1.cs	.Net Code: infect
Source: DeadMom.exe1.1.dr, Usb1.cs	.Net Code: infect
Source: Kaspersky Anti-Virus Flash.exe.1.dr, Usb1.cs	.Net Code: infect
Source: DeadMom.exe2.1.dr, Usb1.cs	.Net Code: infect
Source: Microsoft Corporation.exe.1.dr, Usb1.cs	.Net Code: infect
Source: 445c7762b8f06a76352fcac2e22df159Windows Update.exe.1.dr, Usb1.cs	.Net Code: infect
Source: DeadMom.exe3.1.dr, Usb1.cs	.Net Code: infect
Source: DeadMom.exe4.1.dr, Usb1.cs	.Net Code: infect

Source: gReXLT7XjR.exe, 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: gReXLT7XjR.exe, 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: gReXLT7XjR.exe, 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: gReXLT7XjR.exe, 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: gReXLT7XjR.exe, 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: gReXLT7XjR.exe, 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: gReXLT7XjR.exe	Binary or memory string: \autorun.inf
Source: gReXLT7XjR.exe	Binary or memory string: [autorun]
Source: gReXLT7XjR.exe	Binary or memory string: autorun.inf
Source: DeadMom.exe1.1.dr	Binary or memory string: \autorun.inf
Source: DeadMom.exe1.1.dr	Binary or memory string: [autorun]
Source: DeadMom.exe1.1.dr	Binary or memory string: autorun.inf
Source: DeadMom.exe4.1.dr	Binary or memory string: \autorun.inf
Source: DeadMom.exe4.1.dr	Binary or memory string: [autorun]
Source: DeadMom.exe4.1.dr	Binary or memory string: autorun.inf
Source: DeadMom.exe5.1.dr	Binary or memory string: \autorun.inf
Source: DeadMom.exe5.1.dr	Binary or memory string: [autorun]
Source: DeadMom.exe5.1.dr	Binary or memory string: autorun.inf
Source: Microsoft Corporation.exe.1.dr	Binary or memory string: \autorun.inf
Source: Microsoft Corporation.exe.1.dr	Binary or memory string: [autorun]
Source: Microsoft Corporation.exe.1.dr	Binary or memory string: autorun.inf
Source: DeadMom.exe2.1.dr	Binary or memory string: \autorun.inf
Source: DeadMom.exe2.1.dr	Binary or memory string: [autorun]
Source: DeadMom.exe2.1.dr	Binary or memory string: autorun.inf
Source: 445c7762b8f06a76352fcac2e22df159Windows Update.exe.1.dr	Binary or memory string: \autorun.inf
Source: 445c7762b8f06a76352fcac2e22df159Windows Update.exe.1.dr	Binary or memory string: [autorun]
Source: 445c7762b8f06a76352fcac2e22df159Windows Update.exe.1.dr	Binary or memory string: autorun.inf
Source: DeadMom.exe0.1.dr	Binary or memory string: \autorun.inf
Source: DeadMom.exe0.1.dr	Binary or memory string: [autorun]
Source: DeadMom.exe0.1.dr	Binary or memory string: autorun.inf
Source: server.exe.0.dr	Binary or memory string: \autorun.inf
Source: server.exe.0.dr	Binary or memory string: [autorun]
Source: server.exe.0.dr	Binary or memory string: autorun.inf
Source: DeadMom.exe3.1.dr	Binary or memory string: \autorun.inf
Source: DeadMom.exe3.1.dr	Binary or memory string: [autorun]
Source: DeadMom.exe3.1.dr	Binary or memory string: autorun.inf
Source: Kaspersky Anti-Virus Flash.exe.1.dr	Binary or memory string: \autorun.inf
Source: Kaspersky Anti-Virus Flash.exe.1.dr	Binary or memory string: [autorun]
Source: Kaspersky Anti-Virus Flash.exe.1.dr	Binary or memory string: autorun.inf
Source: DeadMom.exe.1.dr	Binary or memory string: \autorun.inf
Source: DeadMom.exe.1.dr	Binary or memory string: [autorun]
Source: DeadMom.exe.1.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49746 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49746 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49736 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49733 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49733 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49736 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49748 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49731 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49748 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49731 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49740 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49740 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49751 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49751 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49742 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49742 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49779 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49779 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49779 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49732 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49789 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49732 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49789 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49796 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49796 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49743 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49743 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49744 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49744 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49749 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49744 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49749 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49749 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49763 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49763 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49763 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49769 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49745 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49745 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49769 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49769 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49806 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49806 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49747 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49747 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49830 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49830 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49823 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49823 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49836 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49836 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49747 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49813 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49813 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49902 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49902 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49893 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49909 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49909 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49893 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49915 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49915 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49921 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49921 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49933 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49933 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49927 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49927 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49927 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49940 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49954 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49940 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49947 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49947 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49947 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49954 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49960 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49940 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49954 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49966 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49960 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49960 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49977 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49972 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49977 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49972 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49977 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49966 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49989 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49989 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49972 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50001 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50001 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49966 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49983 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50007 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50007 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49983 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50013 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50007 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50013 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50024 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50024 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49995 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49995 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50036 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50036 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50030 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50040 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50019 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50040 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50030 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50019 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50051 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50051 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50055 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50055 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50057 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50057 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50061 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50061 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50059 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50059 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50061 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50063 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50056 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50054 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50068 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50058 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50063 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50060 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50058 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50054 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50065 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50060 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50056 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50068 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50067 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50080 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50056 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50070 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50062 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50070 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50077 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50077 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50082 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50065 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50080 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50082 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50067 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50072 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50069 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50072 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50069 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50076 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50082 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50062 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50074 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50066 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50076 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50066 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50073 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50081 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50083 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50083 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50079 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50075 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50074 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50081 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50064 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50064 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50075 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50079 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50073 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50084 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50084 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50078 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50078 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:50078 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50046 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50046 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:50071 -> 147.185.221.18:42876
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:50071 -> 147.185.221.18:42876

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.18 ports 42876,2,4,6,7,8

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.185.221.18:42876

Source: Joe Sandbox View

IP Address: 147.185.221.18 147.185.221.18

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: company-telecom.gl.at.ply.gg

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\server.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: gReXLT7XjR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4112787916.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gReXLT7XjR.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 445c7762b8f06a76352fcac2e22df159Windows Update.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DeadMom.exe PID: 8152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\server.exe, type: DROPPED
Source: Yara match	File source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Windows\server.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\server.exe	Code function: 1_2_0157BDCA NtQuerySystemInformation,		1_2_0157BDCA
Source: C:\Windows\server.exe	Code function: 1_2_0157BD99 NtQuerySystemInformation,		1_2_0157BD99

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	File created: C:\Windows\server.exe			Jump to behavior
Source: C:\Windows\server.exe	File created: C:\Windows\SysWOW64\DeadMom.exe			Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4298	0_2_04CE4298
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4544	0_2_04CE4544
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE505D	0_2_04CE505D
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4B5B	0_2_04CE4B5B
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE5459	0_2_04CE5459
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE47D4	0_2_04CE47D4
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE536F	0_2_04CE536F
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE50E3	0_2_04CE50E3
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE49F9	0_2_04CE49F9
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE44F1	0_2_04CE44F1
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE470F	0_2_04CE470F
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4C8F	0_2_04CE4C8F
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4287	0_2_04CE4287
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE5000	0_2_04CE5000
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4F9D	0_2_04CE4F9D
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE499D	0_2_04CE499D
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4F2F	0_2_04CE4F2F
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4936	0_2_04CE4936
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Code function: 0_2_04CE4630	0_2_04CE4630
Source: C:\Windows\server.exe	Code function: 1_2_05697910	1_2_05697910
Source: C:\Windows\server.exe	Code function: 1_2_056974D7	1_2_056974D7
Source: C:\Windows\server.exe	Code function: 1_2_05694298	1_2_05694298
Source: C:\Windows\server.exe	Code function: 1_2_05694269	1_2_05694269
Source: C:\Windows\server.exe	Code function: 1_2_0569536F	1_2_0569536F
Source: C:\Windows\server.exe	Code function: 1_2_05694544	1_2_05694544
Source: C:\Windows\server.exe	Code function: 1_2_05695459	1_2_05695459
Source: C:\Windows\server.exe	Code function: 1_2_05694B5B	1_2_05694B5B
Source: C:\Windows\server.exe	Code function: 1_2_0569505D	1_2_0569505D
Source: C:\Windows\server.exe	Code function: 1_2_05694F2F	1_2_05694F2F
Source: C:\Windows\server.exe	Code function: 1_2_05694630	1_2_05694630
Source: C:\Windows\server.exe	Code function: 1_2_05694936	1_2_05694936
Source: C:\Windows\server.exe	Code function: 1_2_0569470F	1_2_0569470F
Source: C:\Windows\server.exe	Code function: 1_2_05695000	1_2_05695000
Source: C:\Windows\server.exe	Code function: 1_2_056950E3	1_2_056950E3
Source: C:\Windows\server.exe	Code function: 1_2_056949F9	1_2_056949F9
Source: C:\Windows\server.exe	Code function: 1_2_056944F1	1_2_056944F1
Source: C:\Windows\server.exe	Code function: 1_2_056947D4	1_2_056947D4
Source: C:\Windows\server.exe	Code function: 1_2_05694C8F	1_2_05694C8F
Source: C:\Windows\server.exe	Code function: 1_2_05694F9D	1_2_05694F9D
Source: C:\Windows\server.exe	Code function: 1_2_0569499D	1_2_0569499D

Source: gReXLT7XjR.exe, 00000000.00000002.1678719492.000000000092E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs gReXLT7XjR.exe

Source: gReXLT7XjR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: gReXLT7XjR.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Windows\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@16/19@1/1

Source: C:\Windows\server.exe	Code function: 1_2_0157BC4E AdjustTokenPrivileges,		1_2_0157BC4E
Source: C:\Windows\server.exe	Code function: 1_2_0157BC17 AdjustTokenPrivileges,		1_2_0157BC17

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\445c7762b8f06a76352fcac2e22df159

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt

Jump to behavior

Source: gReXLT7XjR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gReXLT7XjR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gReXLT7XjR.exe	ReversingLabs: Detection: 86%
Source: gReXLT7XjR.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

File read: C:\Users\user\Desktop\gReXLT7XjR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gReXLT7XjR.exe "C:\Users\user\Desktop\gReXLT7XjR.exe"
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process created: C:\Windows\server.exe "C:\Windows\server.exe"
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Windows\server.exe"
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process created: C:\Windows\server.exe "C:\Windows\server.exe"	Jump to behavior
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE	Jump to behavior
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Windows\server.exe"	Jump to behavior
Source: C:\Windows\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: shfolder.dll	Jump to behavior

Source: C:\Windows\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: gReXLT7XjR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: gReXLT7XjR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: gReXLT7XjR.exe, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: server.exe.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: DeadMom.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: DeadMom.exe0.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: DeadMom.exe1.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Kaspersky Anti-Virus Flash.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: DeadMom.exe2.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Microsoft Corporation.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 445c7762b8f06a76352fcac2e22df159Windows Update.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: DeadMom.exe3.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: DeadMom.exe4.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

Executable created and started: C:\Windows\server.exe

Jump to behavior

Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Kaspersky Anti-Virus Flash.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\Favorites\DeadMom.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\DeadMom.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DeadMom.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	File created: C:\Windows\server.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\DeadMom.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Windows\SysWOW64\DeadMom.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Local\DeadMom.exe	Jump to dropped file

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	File created: C:\Windows\server.exe			Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Windows\SysWOW64\DeadMom.exe			Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Jump to dropped file
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Jump to dropped file

Source: C:\Windows\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Jump to behavior

Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to behavior
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Jump to behavior
Source: C:\Windows\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Memory allocated: EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Memory allocated: 4B00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 34F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 54F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 6820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 7820000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 7C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 8C50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 8EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\server.exe	Memory allocated: BEB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Memory allocated: 13F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Memory allocated: 5070000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: DC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe

Code function: 11_2_01550006 sldt word ptr [eax]

11_2_01550006

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\server.exe	Window / User API: threadDelayed 895	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: threadDelayed 1481	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: threadDelayed 662	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: threadDelayed 721	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: foregroundWindowGot 477	Jump to behavior
Source: C:\Windows\server.exe	Window / User API: foregroundWindowGot 511	Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\server.exe TID: 7704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\server.exe TID: 7568	Thread sleep time: -895000s >= -30000s	Jump to behavior
Source: C:\Windows\server.exe TID: 7720	Thread sleep time: -740500s >= -30000s	Jump to behavior
Source: C:\Windows\server.exe TID: 7568	Thread sleep time: -662000s >= -30000s	Jump to behavior
Source: C:\Windows\server.exe TID: 7720	Thread sleep time: -360500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe TID: 8168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: gReXLT7XjR.exe, 00000000.00000002.1678719492.00000000009B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y0
Source: server.exe, 00000001.00000002.4111234820.0000000001461000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWral, PublicKeyToken=b03f5f7f11d50a3a"/>
Source: netsh.exe, 00000002.00000003.1695523902.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.1728881595.0000000000E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: netsh.exe, 00000004.00000003.1724790687.00000000008C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: gReXLT7XjR.exe, 00000000.00000002.1678719492.00000000009B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T0HX
Source: server.exe, 00000001.00000002.4111234820.0000000001461000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\server.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\gReXLT7XjR.exe

Process created: C:\Windows\server.exe "C:\Windows\server.exe"

Jump to behavior

Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:45:23 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:05:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:35:52 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:58:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:02:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:45:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:17:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:37:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:29:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:15:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:44:33 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:56:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:33:43 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:34:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:47:38 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:23:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:08:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:37:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:22:52 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:36:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:38:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:10:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:01:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:51:42 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:28:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:16:04 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:03:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:23:19 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:18:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:29:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:41:59 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:04:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:48:19 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:27:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:54:26 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:59:11 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:34:37 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:23:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:36:52 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:57:29 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:43:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:23:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:50:43 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:16:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:55:59 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:12:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:18:18 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:13:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:07:00 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:40:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:11:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:56:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:00:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:51:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:12:08 - Program Manager
Source: server.exe, 00000001.00000002.4113728270.000000000593B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ldProgram Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:17:38 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:10:26 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:57:33 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:37:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:16:00 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:15:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:37:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:30:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:24:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:36:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:32:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:29:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:05:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 22:06:26 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:18:11 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:52:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:30:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:54:44 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:59:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:23:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:38:54 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:45:15 - Program Manager
Source: server.exe, 00000001.00000002.4115971762.000000000B069000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:45:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:10:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:51:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:56:42 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:05:17 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:42:37 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:10:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:54:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:21:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:30:33 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:57:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:37:12 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:00:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:32:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:50:18 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:49:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:57:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:56:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:14:33 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:49:11 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:54:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 15:43:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:03:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:09:37 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:39:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:30:11 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:38 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:13:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:28:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:13:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:04:17 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:54:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:19:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:41:43 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:20:23 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:24:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:49:50 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:58:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:58:10 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:02:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:23:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:44:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:11:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:57:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:33:48 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:16:04 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:09:18 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:13:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:36:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:29:23 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:32:29 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:36:26 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:41:18 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:42:46 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:05:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:56:18 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:16:04 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:41:04 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:29:44 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:22:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:46:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:59:19 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:36:00 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:38:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:31:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:47:59 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:11:27 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:59:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:14:44 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:20:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:45:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:44:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:05:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:46:42 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:25:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:46:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:11:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:20:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:05:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:28:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:56:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:22:50 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:34:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:53:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:02:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:05:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:05:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:42:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:41:23 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:55:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:43:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:02:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:44:50 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:28:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:12:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:50:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:14:00 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:33:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:32:27 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:15:00 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:52:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:52:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:57:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:44:08 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:16:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:45:29 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:45:00 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:33:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:29:44 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:54:59 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:40:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:57:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:31:24 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:54:02 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:40:19 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:50:26 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:22:46 - Program Manager
Source: gReXLT7XjR.exe, 00000000.00000002.1679807379.0000000004ECB000.00000004.00000010.00020000.00000000.sdmp, gReXLT7XjR.exe, 00000000.00000002.1679494575.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, gReXLT7XjR.exe, 00000000.00000002.1679494575.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:52:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:23:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:28:23 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:16:12 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:17:54 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:09:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:52:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:37:10 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:21:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:52:27 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:59:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:46:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:29:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:38:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:10:08 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:27:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:31:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:31:17 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:12:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 15:46:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:22:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:30:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:27:46 - Program Manager
Source: DeadMom.exe, 0000000D.00000002.1901603716.000000000555B000.00000004.00000010.00020000.00000000.sdmp, Microsoft Corporation.exe, 00000010.00000002.1998672104.0000000004D6B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: dProgram Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:31:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:40:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:32:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:10:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:35:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:07:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:56:24 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:35:37 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:35:23 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:55:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:21:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:30:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:06:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:08:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:43:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:25:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:29:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:44:10 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:24:50 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:37:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:08:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:37:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:59:29 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:27:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:11:43 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:28:43 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:28:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:41:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:51:00 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:18:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:53:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:56:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:23:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:24:37 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:59:42 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:43:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:55:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:32:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:26:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:57:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:32:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:38:29 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:09:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:48:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:38:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:26 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:23:27 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 15:58:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:05:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:14:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:58:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:13:50 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:07:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:20:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:52:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:19:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:28:08 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:59:52 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:00:52 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:42:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:36:52 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:22:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:33:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:08:58 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:13:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:29:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:44:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:41:24 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:36:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:20:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:49:11 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:27:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:09:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:59:02 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:57:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:48:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:26:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:56:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:51:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:18:10 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:22:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:28:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:44:04 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:12:59 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:33:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:28:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:56:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:27:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:02:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:55:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:50:02 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:33:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:28:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 15:57:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:12:48 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:24:43 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:22:24 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:02:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:41:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:27:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 22:08:01 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:35:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:11:02 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:24:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:46:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:52:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:15:42 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:24:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:04:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:34:52 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:09:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:23:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:13:50 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:56:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:56:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:12:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:48:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:57:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:38:19 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 22:04:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:56:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:55:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:22:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:14:29 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:00:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:37:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:38:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:33:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:01:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:14:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:12:12 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:08:17 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:17:26 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:19:37 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:55:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:13:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:38:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:18:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:28:10 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:51:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:11:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:04:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:36:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:39:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:59:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:45:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:24:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:25:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:36:18 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:59:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:34:01 - Program Manager
Source: gReXLT7XjR.exe, DeadMom.exe1.1.dr, DeadMom.exe4.1.dr, DeadMom.exe5.1.dr, Microsoft Corporation.exe.1.dr, DeadMom.exe2.1.dr, 445c7762b8f06a76352fcac2e22df159Windows Update.exe.1.dr, DeadMom.exe0.1.dr, server.exe.0.dr, DeadMom.exe3.1.dr, Kaspersky Anti-Virus Flash.exe.1.dr	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:06:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:45:37 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:23:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:45:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:39:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:56:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 17:58:27 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:08:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:37:08 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:46:10 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:43:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:31:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:39:16 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:54:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:27:02 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:26:58 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:32:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:44:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:56:19 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:12:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 16:33:38 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:26:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:07:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:08:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:11:49 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:05:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:09:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:08:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:22:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:30:38 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 18:29:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:21:27 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:05:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:37:17 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:42:38 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:07:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:52:18 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:29:02 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:28 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:44:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:30:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:36:05 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:37:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 02:12:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:36:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:23:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:45:32 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:44:48 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:50:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:33:40 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:27 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:30:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:48:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:05:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:58:06 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:46:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:54:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 10:43:25 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:49:46 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:00:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:55:50 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:50:04 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:51:29 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:55:17 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:32:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:08:46 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:02:36 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:44:42 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:43:08 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:34:48 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:10:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:26:59 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 18:39:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:50:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:31:59 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:21:11 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:41:12 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:07:44 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:43:53 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 16:35:08 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:06:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:33:46 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:31:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:22:55 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:08:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:32:44 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:41:34 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:38:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 06:18:46 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 04:45:30 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:55:48 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:56:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:44:51 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 22:05:11 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:23:14 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:16:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:29:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 01:26:23 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:26:45 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 15:36:31 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:56:35 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 20:00:21 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 20:22:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:17:47 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:22:09 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 12:36:10 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 13:32:57 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:03:07 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 14:44:56 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:48:13 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 14:57:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 19:41:41 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:43:04 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 11:03:39 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 17:59:03 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 05:56:15 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/28 \| 03:00:38 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 21:13:46 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 19:31:20 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/30 \| 21:22:22 - Program Manager
Source: server.exe, 00000001.00000002.4112964031.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/12/25 \| 13:27:50 - Program Manager

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: gReXLT7XjR.exe, Fransesco.cs	.Net Code: INS
Source: server.exe.0.dr, Fransesco.cs	.Net Code: INS
Source: DeadMom.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: DeadMom.exe0.1.dr, Fransesco.cs	.Net Code: INS
Source: DeadMom.exe1.1.dr, Fransesco.cs	.Net Code: INS
Source: Kaspersky Anti-Virus Flash.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: DeadMom.exe2.1.dr, Fransesco.cs	.Net Code: INS
Source: Microsoft Corporation.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: 445c7762b8f06a76352fcac2e22df159Windows Update.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: DeadMom.exe3.1.dr, Fransesco.cs	.Net Code: INS
Source: DeadMom.exe4.1.dr, Fransesco.cs	.Net Code: INS

Disables the Windows task manager (taskmgr)

Source: C:\Windows\server.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Disables zone checking for all users

Source: C:\Windows\server.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Windows\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: gReXLT7XjR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4112787916.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gReXLT7XjR.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 445c7762b8f06a76352fcac2e22df159Windows Update.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DeadMom.exe PID: 8152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\server.exe, type: DROPPED
Source: Yara match	File source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: gReXLT7XjR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.gReXLT7XjR.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4112787916.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gReXLT7XjR.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 445c7762b8f06a76352fcac2e22df159Windows Update.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DeadMom.exe PID: 8152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DeadMom.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\server.exe, type: DROPPED
Source: Yara match	File source: C:\Kaspersky Anti-Virus Flash.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	121 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	51 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gReXLT7XjR.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
gReXLT7XjR.exe	70%	Virustotal		Browse
gReXLT7XjR.exe	100%	Avira	TR/Dropper.Gen
gReXLT7XjR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\DeadMom.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\DeadMom.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\DeadMom.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\DeadMom.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\DeadMom.exe	100%	Avira	TR/Dropper.Gen
C:\Windows\server.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\DeadMom.exe	100%	Avira	TR/Dropper.Gen
C:\Kaspersky Anti-Virus Flash.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\DeadMom.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\DeadMom.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DeadMom.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DeadMom.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DeadMom.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DeadMom.exe	100%	Joe Sandbox ML
C:\Windows\server.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DeadMom.exe	100%	Joe Sandbox ML
C:\Kaspersky Anti-Virus Flash.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DeadMom.exe	100%	Joe Sandbox ML
C:\Kaspersky Anti-Virus Flash.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\DeadMom.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\History\DeadMom.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\DeadMom.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DeadMom.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\Favorites\DeadMom.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Windows\SysWOW64\DeadMom.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Windows\server.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT

Name	IP	Active	Malicious	Antivirus Detection	Reputation
company-telecom.gl.at.ply.gg	147.185.221.18	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.18	company-telecom.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580723
Start date and time:	2024-12-25 19:26:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gReXLT7XjR.exe renamed because original name is a hash value
Original Sample Name:	4951d592fac59ef8005596d2af5d116b.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.evad.winEXE@16/19@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 175 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:27:31	API Interceptor	198358x Sleep call for process: server.exe modified
18:26:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe
18:27:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe
18:27:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.18	twE44mm07j.exe	Get hash	malicious	XWorm	Browse
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	Discordd.exe	Get hash	malicious	AsyncRAT	Browse
	Discord2.exe	Get hash	malicious	AsyncRAT	Browse
	Discord3.exe	Get hash	malicious	AsyncRAT	Browse
	7laJ4zKd8O.exe	Get hash	malicious	XWorm	Browse
	Discord.exe	Get hash	malicious	AsyncRAT	Browse
	r8k29DBraE.exe	Get hash	malicious	XWorm	Browse
	Lr87y2w72r.exe	Get hash	malicious	XWorm	Browse
	7LwVrYH7sy.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	_____.exe	Get hash	malicious	DarkComet	Browse	147.185.221.23
	test.exe	Get hash	malicious	DarkComet	Browse	147.185.221.24
	L363rVr7oL.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	WO.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	reddit.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	147.176.119.110
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	147.185.221.18

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: JPCERT/CC Incident Response Group Rule: Njrat, Description: detect njRAT in memory, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Kaspersky Anti-Virus Flash.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\DeadMom.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\DeadMom.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\445c7762b8f06a76352fcac2e22df159Windows Update.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DeadMom.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gReXLT7XjR.exe.log

Download File

Process:	C:\Users\user\Desktop\gReXLT7XjR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\History\DeadMom.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\DeadMom.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DeadMom.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\app

Download File

Process:	C:\Users\user\Desktop\gReXLT7XjR.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:j:j
MD5:	CAC4598FDC0F92181616D12833EB6CA1
SHA1:	80A7B7A46A0E8E674B782B9EB569E5430A69C84B
SHA-256:	275918973C23AD700F278C69CC03C9C82EC9F4D9ED0F53111AD22BEC197FF440
SHA-512:	01A7556BFCCE6D9D8251AADC7F6E6169FDD0477D487CE88729C44BFE8B85B2EEE500985D553C0479765EF5B5C6DC3517C0305EFB9089814C3F8A9EA6FC51C713
Malicious:	false
Preview:	.25

C:\Users\user\Favorites\DeadMom.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Windows\SysWOW64\DeadMom.exe

Download File

Process:	C:\Windows\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Windows\server.exe

Download File

Process:	C:\Users\user\Desktop\gReXLT7XjR.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.561256734534238
Encrypted:	false
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
MD5:	4951D592FAC59EF8005596D2AF5D116B
SHA1:	536AB7195AFEFB6C8947A86B10ADB8D0461F7115
SHA-256:	EF022F571BBE78532CC1D1D09689470933F629F5E3775929F8926D7B51E6F122
SHA-512:	3F551F1B653764DAE9D75DBDF764389786A6004EF2C49F3C7BA81BB4412ADC7C8C3315649E4C5A8F970B3F185F67E6F04BACF1264F233225511D45CB75D20FF1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\server.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.561256734534238
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	gReXLT7XjR.exe
File size:	95'232 bytes
MD5:	4951d592fac59ef8005596d2af5d116b
SHA1:	536ab7195afefb6c8947a86b10adb8d0461f7115
SHA256:	ef022f571bbe78532cc1d1d09689470933f629f5e3775929f8926d7b51e6f122
SHA512:	3f551f1b653764dae9d75dbdf764389786a6004ef2c49f3c7ba81bb4412adc7c8c3315649e4c5a8f970b3f185f67e6f04bacf1264f233225511d45cb75d20ff1
SSDEEP:	1536:ZYduiuNTXfL/AJbZNljEwzGi1dDFDugS:ZYdaTXfL/AhzSi1dJT
TLSH:	E993E84977E96524E0BF56F75871F2005E34F44B1602E39E49F219EA0A33AC44F89FEA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bWgg.................p..........N.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x418f4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67675762 [Sun Dec 22 00:03:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ef8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16f54	0x17000	f8aca29152d16cfd818c0c88d14f4c01	False	0.3685249660326087	data	5.59291696116443	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	dddee5b48052d5dc59ff07bd5a224610	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-25T19:27:01.311411+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49730	147.185.221.18	42876	TCP
2024-12-25T19:27:01.311411+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49730	147.185.221.18	42876	TCP
2024-12-25T19:27:04.782030+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49731	147.185.221.18	42876	TCP
2024-12-25T19:27:04.782030+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49731	147.185.221.18	42876	TCP
2024-12-25T19:27:08.629357+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49732	147.185.221.18	42876	TCP
2024-12-25T19:27:08.629357+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49732	147.185.221.18	42876	TCP
2024-12-25T19:27:12.521222+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49733	147.185.221.18	42876	TCP
2024-12-25T19:27:12.521222+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49733	147.185.221.18	42876	TCP
2024-12-25T19:27:16.605337+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49736	147.185.221.18	42876	TCP
2024-12-25T19:27:16.605337+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49736	147.185.221.18	42876	TCP
2024-12-25T19:27:20.441669+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49740	147.185.221.18	42876	TCP
2024-12-25T19:27:20.441669+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49740	147.185.221.18	42876	TCP
2024-12-25T19:27:24.279456+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49742	147.185.221.18	42876	TCP
2024-12-25T19:27:24.279456+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49742	147.185.221.18	42876	TCP
2024-12-25T19:27:28.109295+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49743	147.185.221.18	42876	TCP
2024-12-25T19:27:28.109295+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49743	147.185.221.18	42876	TCP
2024-12-25T19:27:31.985928+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49744	147.185.221.18	42876	TCP
2024-12-25T19:27:31.985928+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49744	147.185.221.18	42876	TCP
2024-12-25T19:27:32.633274+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49744	147.185.221.18	42876	TCP
2024-12-25T19:27:35.816452+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49745	147.185.221.18	42876	TCP
2024-12-25T19:27:35.816452+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49745	147.185.221.18	42876	TCP
2024-12-25T19:27:39.671891+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49746	147.185.221.18	42876	TCP
2024-12-25T19:27:39.671891+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49746	147.185.221.18	42876	TCP
2024-12-25T19:27:43.502795+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49747	147.185.221.18	42876	TCP
2024-12-25T19:27:43.502795+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49747	147.185.221.18	42876	TCP
2024-12-25T19:27:45.137550+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49747	147.185.221.18	42876	TCP
2024-12-25T19:27:47.381066+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49748	147.185.221.18	42876	TCP
2024-12-25T19:27:47.381066+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49748	147.185.221.18	42876	TCP
2024-12-25T19:27:51.416703+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49749	147.185.221.18	42876	TCP
2024-12-25T19:27:51.416703+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49749	147.185.221.18	42876	TCP
2024-12-25T19:27:52.530998+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49749	147.185.221.18	42876	TCP
2024-12-25T19:27:55.256662+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49751	147.185.221.18	42876	TCP
2024-12-25T19:27:55.256662+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49751	147.185.221.18	42876	TCP
2024-12-25T19:27:59.110643+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49763	147.185.221.18	42876	TCP
2024-12-25T19:27:59.110643+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49763	147.185.221.18	42876	TCP
2024-12-25T19:28:00.056725+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49763	147.185.221.18	42876	TCP
2024-12-25T19:28:02.984793+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49769	147.185.221.18	42876	TCP
2024-12-25T19:28:02.984793+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49769	147.185.221.18	42876	TCP
2024-12-25T19:28:03.452295+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49769	147.185.221.18	42876	TCP
2024-12-25T19:28:06.673988+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49779	147.185.221.18	42876	TCP
2024-12-25T19:28:06.673988+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49779	147.185.221.18	42876	TCP
2024-12-25T19:28:06.916756+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49779	147.185.221.18	42876	TCP
2024-12-25T19:28:10.290338+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49789	147.185.221.18	42876	TCP
2024-12-25T19:28:10.290338+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49789	147.185.221.18	42876	TCP
2024-12-25T19:28:13.798520+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49796	147.185.221.18	42876	TCP
2024-12-25T19:28:13.798520+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49796	147.185.221.18	42876	TCP
2024-12-25T19:28:17.435879+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49806	147.185.221.18	42876	TCP
2024-12-25T19:28:17.435879+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49806	147.185.221.18	42876	TCP
2024-12-25T19:28:20.742541+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49813	147.185.221.18	42876	TCP
2024-12-25T19:28:20.742541+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49813	147.185.221.18	42876	TCP
2024-12-25T19:28:23.895442+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49823	147.185.221.18	42876	TCP
2024-12-25T19:28:23.895442+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49823	147.185.221.18	42876	TCP
2024-12-25T19:28:27.015106+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49830	147.185.221.18	42876	TCP
2024-12-25T19:28:27.015106+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49830	147.185.221.18	42876	TCP
2024-12-25T19:28:30.031254+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49836	147.185.221.18	42876	TCP
2024-12-25T19:28:30.031254+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49836	147.185.221.18	42876	TCP
2024-12-25T19:28:56.960211+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49893	147.185.221.18	42876	TCP
2024-12-25T19:28:56.960211+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49893	147.185.221.18	42876	TCP
2024-12-25T19:28:59.828732+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49902	147.185.221.18	42876	TCP
2024-12-25T19:28:59.828732+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49902	147.185.221.18	42876	TCP
2024-12-25T19:29:02.596571+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49909	147.185.221.18	42876	TCP
2024-12-25T19:29:02.596571+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49909	147.185.221.18	42876	TCP
2024-12-25T19:29:05.380948+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49915	147.185.221.18	42876	TCP
2024-12-25T19:29:05.380948+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49915	147.185.221.18	42876	TCP
2024-12-25T19:29:08.464794+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49921	147.185.221.18	42876	TCP
2024-12-25T19:29:08.464794+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49921	147.185.221.18	42876	TCP
2024-12-25T19:29:11.059281+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49927	147.185.221.18	42876	TCP
2024-12-25T19:29:11.059281+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49927	147.185.221.18	42876	TCP
2024-12-25T19:29:12.016440+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49927	147.185.221.18	42876	TCP
2024-12-25T19:29:13.563423+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49933	147.185.221.18	42876	TCP
2024-12-25T19:29:13.563423+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49933	147.185.221.18	42876	TCP
2024-12-25T19:29:16.067195+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49940	147.185.221.18	42876	TCP
2024-12-25T19:29:16.067195+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49940	147.185.221.18	42876	TCP
2024-12-25T19:29:17.797691+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49940	147.185.221.18	42876	TCP
2024-12-25T19:29:18.553373+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49947	147.185.221.18	42876	TCP
2024-12-25T19:29:18.553373+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49947	147.185.221.18	42876	TCP
2024-12-25T19:29:19.739101+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49947	147.185.221.18	42876	TCP
2024-12-25T19:29:21.005336+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49954	147.185.221.18	42876	TCP
2024-12-25T19:29:21.005336+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49954	147.185.221.18	42876	TCP
2024-12-25T19:29:21.315622+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49954	147.185.221.18	42876	TCP
2024-12-25T19:29:23.394832+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49960	147.185.221.18	42876	TCP
2024-12-25T19:29:23.394832+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49960	147.185.221.18	42876	TCP
2024-12-25T19:29:23.636305+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49960	147.185.221.18	42876	TCP
2024-12-25T19:29:25.827890+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49966	147.185.221.18	42876	TCP
2024-12-25T19:29:25.827890+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49966	147.185.221.18	42876	TCP
2024-12-25T19:29:26.234384+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49966	147.185.221.18	42876	TCP
2024-12-25T19:29:28.796450+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49972	147.185.221.18	42876	TCP
2024-12-25T19:29:28.796450+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49972	147.185.221.18	42876	TCP
2024-12-25T19:29:29.140402+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49972	147.185.221.18	42876	TCP
2024-12-25T19:29:31.016652+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49977	147.185.221.18	42876	TCP
2024-12-25T19:29:31.016652+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49977	147.185.221.18	42876	TCP
2024-12-25T19:29:31.258357+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49977	147.185.221.18	42876	TCP
2024-12-25T19:29:33.308343+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49983	147.185.221.18	42876	TCP
2024-12-25T19:29:33.308343+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49983	147.185.221.18	42876	TCP
2024-12-25T19:29:35.532168+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49989	147.185.221.18	42876	TCP
2024-12-25T19:29:35.532168+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49989	147.185.221.18	42876	TCP
2024-12-25T19:29:37.713030+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49995	147.185.221.18	42876	TCP
2024-12-25T19:29:37.713030+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49995	147.185.221.18	42876	TCP
2024-12-25T19:29:39.891898+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50001	147.185.221.18	42876	TCP
2024-12-25T19:29:39.891898+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50001	147.185.221.18	42876	TCP
2024-12-25T19:29:42.069274+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50007	147.185.221.18	42876	TCP
2024-12-25T19:29:42.069274+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50007	147.185.221.18	42876	TCP
2024-12-25T19:29:42.317709+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	50007	147.185.221.18	42876	TCP
2024-12-25T19:29:44.227018+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50013	147.185.221.18	42876	TCP
2024-12-25T19:29:44.227018+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50013	147.185.221.18	42876	TCP
2024-12-25T19:29:46.487974+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50019	147.185.221.18	42876	TCP
2024-12-25T19:29:46.487974+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50019	147.185.221.18	42876	TCP
2024-12-25T19:29:48.630910+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50024	147.185.221.18	42876	TCP
2024-12-25T19:29:48.630910+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50024	147.185.221.18	42876	TCP
2024-12-25T19:29:50.710170+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50030	147.185.221.18	42876	TCP
2024-12-25T19:29:50.710170+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50030	147.185.221.18	42876	TCP
2024-12-25T19:29:52.763223+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50036	147.185.221.18	42876	TCP
2024-12-25T19:29:52.763223+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50036	147.185.221.18	42876	TCP
2024-12-25T19:29:54.859952+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50040	147.185.221.18	42876	TCP
2024-12-25T19:29:54.859952+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50040	147.185.221.18	42876	TCP
2024-12-25T19:29:56.943978+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50046	147.185.221.18	42876	TCP
2024-12-25T19:29:56.943978+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50046	147.185.221.18	42876	TCP
2024-12-25T19:29:59.035178+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50051	147.185.221.18	42876	TCP
2024-12-25T19:29:59.035178+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50051	147.185.221.18	42876	TCP
2024-12-25T19:30:01.060620+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50054	147.185.221.18	42876	TCP
2024-12-25T19:30:01.060620+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50054	147.185.221.18	42876	TCP
2024-12-25T19:30:03.136417+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50055	147.185.221.18	42876	TCP
2024-12-25T19:30:03.136417+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50055	147.185.221.18	42876	TCP
2024-12-25T19:30:05.144405+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50056	147.185.221.18	42876	TCP
2024-12-25T19:30:05.144405+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50056	147.185.221.18	42876	TCP
2024-12-25T19:30:05.384843+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	50056	147.185.221.18	42876	TCP
2024-12-25T19:30:07.114444+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50057	147.185.221.18	42876	TCP
2024-12-25T19:30:07.114444+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50057	147.185.221.18	42876	TCP
2024-12-25T19:30:09.158428+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50058	147.185.221.18	42876	TCP
2024-12-25T19:30:09.158428+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50058	147.185.221.18	42876	TCP
2024-12-25T19:30:11.116363+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50059	147.185.221.18	42876	TCP
2024-12-25T19:30:11.116363+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50059	147.185.221.18	42876	TCP
2024-12-25T19:30:13.048197+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50060	147.185.221.18	42876	TCP
2024-12-25T19:30:13.048197+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50060	147.185.221.18	42876	TCP
2024-12-25T19:30:15.023097+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50061	147.185.221.18	42876	TCP
2024-12-25T19:30:15.023097+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50061	147.185.221.18	42876	TCP
2024-12-25T19:30:15.803404+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	50061	147.185.221.18	42876	TCP
2024-12-25T19:30:17.017306+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50062	147.185.221.18	42876	TCP
2024-12-25T19:30:17.017306+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50062	147.185.221.18	42876	TCP
2024-12-25T19:30:18.970100+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50063	147.185.221.18	42876	TCP
2024-12-25T19:30:18.970100+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50063	147.185.221.18	42876	TCP
2024-12-25T19:30:21.064635+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50064	147.185.221.18	42876	TCP
2024-12-25T19:30:21.064635+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50064	147.185.221.18	42876	TCP
2024-12-25T19:30:23.067903+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50065	147.185.221.18	42876	TCP
2024-12-25T19:30:23.067903+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50065	147.185.221.18	42876	TCP
2024-12-25T19:30:24.909726+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50066	147.185.221.18	42876	TCP
2024-12-25T19:30:24.909726+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50066	147.185.221.18	42876	TCP
2024-12-25T19:30:26.800683+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50067	147.185.221.18	42876	TCP
2024-12-25T19:30:26.800683+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50067	147.185.221.18	42876	TCP
2024-12-25T19:30:28.697052+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50068	147.185.221.18	42876	TCP
2024-12-25T19:30:28.697052+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50068	147.185.221.18	42876	TCP
2024-12-25T19:30:30.621315+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50069	147.185.221.18	42876	TCP
2024-12-25T19:30:30.621315+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50069	147.185.221.18	42876	TCP
2024-12-25T19:30:32.505468+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50070	147.185.221.18	42876	TCP
2024-12-25T19:30:32.505468+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50070	147.185.221.18	42876	TCP
2024-12-25T19:30:34.395945+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50071	147.185.221.18	42876	TCP
2024-12-25T19:30:34.395945+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50071	147.185.221.18	42876	TCP
2024-12-25T19:30:36.284419+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50072	147.185.221.18	42876	TCP
2024-12-25T19:30:36.284419+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50072	147.185.221.18	42876	TCP
2024-12-25T19:30:38.189590+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50073	147.185.221.18	42876	TCP
2024-12-25T19:30:38.189590+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50073	147.185.221.18	42876	TCP
2024-12-25T19:30:40.087676+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50074	147.185.221.18	42876	TCP
2024-12-25T19:30:40.087676+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50074	147.185.221.18	42876	TCP
2024-12-25T19:30:42.007971+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50075	147.185.221.18	42876	TCP
2024-12-25T19:30:42.007971+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50075	147.185.221.18	42876	TCP
2024-12-25T19:30:43.888278+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50076	147.185.221.18	42876	TCP
2024-12-25T19:30:43.888278+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50076	147.185.221.18	42876	TCP
2024-12-25T19:30:45.782984+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50077	147.185.221.18	42876	TCP
2024-12-25T19:30:45.782984+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50077	147.185.221.18	42876	TCP
2024-12-25T19:30:47.647823+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50078	147.185.221.18	42876	TCP
2024-12-25T19:30:47.647823+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50078	147.185.221.18	42876	TCP
2024-12-25T19:30:48.135698+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	50078	147.185.221.18	42876	TCP
2024-12-25T19:30:49.548519+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50079	147.185.221.18	42876	TCP
2024-12-25T19:30:49.548519+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50079	147.185.221.18	42876	TCP
2024-12-25T19:30:51.409873+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50080	147.185.221.18	42876	TCP
2024-12-25T19:30:51.409873+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50080	147.185.221.18	42876	TCP
2024-12-25T19:30:53.339640+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50081	147.185.221.18	42876	TCP
2024-12-25T19:30:53.339640+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50081	147.185.221.18	42876	TCP
2024-12-25T19:30:55.232783+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50082	147.185.221.18	42876	TCP
2024-12-25T19:30:55.232783+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50082	147.185.221.18	42876	TCP
2024-12-25T19:30:56.291850+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	50082	147.185.221.18	42876	TCP
2024-12-25T19:30:57.111374+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50083	147.185.221.18	42876	TCP
2024-12-25T19:30:57.111374+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50083	147.185.221.18	42876	TCP
2024-12-25T19:30:58.988654+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	50084	147.185.221.18	42876	TCP
2024-12-25T19:30:58.988654+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	50084	147.185.221.18	42876	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 19:27:00.715389967 CET	49730	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:00.837404013 CET	42876	49730	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:00.837512970 CET	49730	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:01.311410904 CET	49730	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:01.432539940 CET	42876	49730	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:01.432605028 CET	49730	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:01.553119898 CET	42876	49730	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:02.589032888 CET	42876	49730	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:02.589108944 CET	49730	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:04.616844893 CET	49730	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:04.618122101 CET	49731	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:04.739356995 CET	42876	49730	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:04.740324974 CET	42876	49731	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:04.740402937 CET	49731	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:04.782030106 CET	49731	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:04.901801109 CET	42876	49731	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:04.901913881 CET	49731	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:05.023078918 CET	42876	49731	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:06.478001118 CET	42876	49731	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:06.478096008 CET	49731	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:08.488091946 CET	49731	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:08.508174896 CET	49732	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:08.608361006 CET	42876	49731	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:08.627928019 CET	42876	49732	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:08.628154039 CET	49732	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:08.629357100 CET	49732	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:08.751368999 CET	42876	49732	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:08.751579046 CET	49732	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:08.875699997 CET	42876	49732	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:10.352971077 CET	42876	49732	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:10.353094101 CET	49732	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:12.363367081 CET	49732	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:12.364522934 CET	49733	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:12.489890099 CET	42876	49732	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:12.490920067 CET	42876	49733	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:12.491002083 CET	49733	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:12.521222115 CET	49733	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:12.645080090 CET	42876	49733	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:12.645149946 CET	49733	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:12.765075922 CET	42876	49733	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:14.213239908 CET	42876	49733	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:14.213438034 CET	49733	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:16.224564075 CET	49733	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:16.363591909 CET	49736	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:16.604618073 CET	42876	49733	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:16.604665995 CET	42876	49736	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:16.604748964 CET	49736	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:16.605336905 CET	49736	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:16.725470066 CET	42876	49736	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:16.725532055 CET	49736	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:16.849850893 CET	42876	49736	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:18.291100979 CET	42876	49736	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:18.295161963 CET	49736	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:20.315458059 CET	49736	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:20.316293955 CET	49740	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:20.440351963 CET	42876	49736	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:20.441086054 CET	42876	49740	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:20.441148996 CET	49740	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:20.441668987 CET	49740	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:20.564954996 CET	42876	49740	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:20.565455914 CET	49740	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:20.685165882 CET	42876	49740	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:22.135809898 CET	42876	49740	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:22.139287949 CET	49740	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:24.144633055 CET	49740	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:24.152303934 CET	49742	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:24.276109934 CET	42876	49740	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:24.276125908 CET	42876	49742	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:24.276289940 CET	49742	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:24.279455900 CET	49742	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:24.400325060 CET	42876	49742	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:24.400485039 CET	49742	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:24.520777941 CET	42876	49742	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:25.977650881 CET	42876	49742	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:25.979206085 CET	49742	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:27.987992048 CET	49742	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:27.988950014 CET	49743	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:28.108071089 CET	42876	49742	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:28.108788013 CET	42876	49743	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:28.108896971 CET	49743	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:28.109294891 CET	49743	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:28.229722023 CET	42876	49743	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:28.229793072 CET	49743	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:28.349683046 CET	42876	49743	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:29.820729971 CET	42876	49743	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:29.820982933 CET	49743	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:31.863437891 CET	49743	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:31.864269018 CET	49744	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:31.984926939 CET	42876	49743	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:31.985141039 CET	42876	49744	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:31.985250950 CET	49744	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:31.985928059 CET	49744	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:32.105496883 CET	42876	49744	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:32.110636950 CET	49744	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:32.230665922 CET	42876	49744	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:32.633274078 CET	49744	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:32.752988100 CET	42876	49744	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:33.682449102 CET	42876	49744	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:33.682507992 CET	49744	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:35.691119909 CET	49744	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:35.691881895 CET	49745	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:35.814963102 CET	42876	49744	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:35.815781116 CET	42876	49745	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:35.815885067 CET	49745	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:35.816452026 CET	49745	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:35.939373970 CET	42876	49745	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:35.939471006 CET	49745	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:36.061973095 CET	42876	49745	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:37.543595076 CET	42876	49745	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:37.543682098 CET	49745	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:39.550590038 CET	49745	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:39.551450014 CET	49746	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:39.670751095 CET	42876	49745	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:39.671051025 CET	42876	49746	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:39.671125889 CET	49746	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:39.671890974 CET	49746	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:39.792956114 CET	42876	49746	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:39.793076992 CET	49746	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:39.916816950 CET	42876	49746	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:41.370229959 CET	42876	49746	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:41.370316029 CET	49746	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:43.378798008 CET	49746	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:43.379631996 CET	49747	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:43.501271009 CET	42876	49746	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:43.501720905 CET	42876	49747	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:43.501806974 CET	49747	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:43.502794981 CET	49747	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:43.622785091 CET	42876	49747	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:43.622993946 CET	49747	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:43.747673988 CET	42876	49747	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:45.137550116 CET	49747	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:45.241034031 CET	42876	49747	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:45.241309881 CET	49747	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:45.259490967 CET	42876	49747	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:45.361308098 CET	42876	49747	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:47.254496098 CET	49748	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:47.380510092 CET	42876	49748	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:47.380707026 CET	49748	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:47.381066084 CET	49748	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:47.695230961 CET	42876	49748	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:47.695405960 CET	49748	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:47.815202951 CET	42876	49748	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:49.276058912 CET	42876	49748	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:49.276154995 CET	49748	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:51.292117119 CET	49748	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:51.293504953 CET	49749	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:51.414601088 CET	42876	49748	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:51.415704966 CET	42876	49749	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:51.415834904 CET	49749	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:51.416702986 CET	49749	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:51.543205023 CET	42876	49749	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:51.543262005 CET	49749	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:51.669198036 CET	42876	49749	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:52.530997992 CET	49749	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:52.651949883 CET	42876	49749	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:53.119466066 CET	42876	49749	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:53.119549036 CET	49749	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:55.128880978 CET	49749	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:55.129815102 CET	49751	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:55.254823923 CET	42876	49749	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:55.255845070 CET	42876	49751	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:55.255920887 CET	49751	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:55.256661892 CET	49751	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:55.376339912 CET	42876	49751	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:55.376456022 CET	49751	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:55.496438980 CET	42876	49751	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:56.978615046 CET	42876	49751	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:56.978873014 CET	49751	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:58.988246918 CET	49751	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:58.989203930 CET	49763	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:59.108973980 CET	42876	49751	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:59.109731913 CET	42876	49763	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:59.109838963 CET	49763	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:59.110642910 CET	49763	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:59.230098009 CET	42876	49763	147.185.221.18	192.168.2.4
Dec 25, 2024 19:27:59.230187893 CET	49763	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:27:59.349880934 CET	42876	49763	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:00.056725025 CET	49763	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:00.183350086 CET	42876	49763	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:00.855138063 CET	42876	49763	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:00.855235100 CET	49763	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:02.863723040 CET	49763	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:02.864550114 CET	49769	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:02.983441114 CET	42876	49763	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:02.983997107 CET	42876	49769	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:02.984069109 CET	49769	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:02.984792948 CET	49769	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:03.104496956 CET	42876	49769	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:03.104566097 CET	49769	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:03.225585938 CET	42876	49769	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:03.452295065 CET	49769	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:03.577277899 CET	42876	49769	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:04.682301998 CET	42876	49769	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:04.682380915 CET	49769	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:06.552558899 CET	49769	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:06.553432941 CET	49779	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:06.672189951 CET	42876	49769	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:06.673039913 CET	42876	49779	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:06.673219919 CET	49779	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:06.673988104 CET	49779	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:06.795509100 CET	42876	49779	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:06.795573950 CET	49779	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:06.916685104 CET	42876	49779	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:06.916755915 CET	49779	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:07.041635036 CET	42876	49779	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:08.400230885 CET	42876	49779	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:08.400368929 CET	49779	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:10.149432898 CET	49779	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:10.150228024 CET	49789	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:10.273554087 CET	42876	49779	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:10.274333954 CET	42876	49789	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:10.274403095 CET	49789	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:10.290338039 CET	49789	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:10.412559032 CET	42876	49789	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:10.412746906 CET	49789	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:10.537792921 CET	42876	49789	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:12.041523933 CET	42876	49789	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:12.041620970 CET	49789	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:13.676042080 CET	49789	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:13.676882982 CET	49796	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:13.797009945 CET	42876	49789	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:13.797540903 CET	42876	49796	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:13.797722101 CET	49796	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:13.798520088 CET	49796	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:13.919867039 CET	42876	49796	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:13.920118093 CET	49796	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:14.039748907 CET	42876	49796	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:15.519877911 CET	42876	49796	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:15.519938946 CET	49796	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:17.062634945 CET	49796	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:17.079392910 CET	49806	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:17.434856892 CET	42876	49796	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:17.434873104 CET	42876	49806	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:17.434974909 CET	49806	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:17.435878992 CET	49806	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:17.562117100 CET	42876	49806	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:17.562186003 CET	49806	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:17.683542967 CET	42876	49806	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:19.152081966 CET	42876	49806	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:19.152141094 CET	49806	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:20.596735954 CET	49806	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:20.618604898 CET	49813	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:20.716305017 CET	42876	49806	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:20.738532066 CET	42876	49813	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:20.741691113 CET	49813	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:20.742541075 CET	49813	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:20.866981983 CET	42876	49813	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:20.867055893 CET	49813	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:20.988595009 CET	42876	49813	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:22.433686018 CET	42876	49813	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:22.434011936 CET	49813	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:23.769623041 CET	49813	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:23.774049044 CET	49823	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:23.889483929 CET	42876	49813	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:23.893759012 CET	42876	49823	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:23.893826008 CET	49823	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:23.895442009 CET	49823	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:24.015412092 CET	42876	49823	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:24.015456915 CET	49823	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:24.135181904 CET	42876	49823	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:25.600575924 CET	42876	49823	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:25.603632927 CET	49823	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:26.887147903 CET	49823	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:26.888266087 CET	49830	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:27.013468027 CET	42876	49823	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:27.014270067 CET	42876	49830	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:27.014345884 CET	49830	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:27.015105963 CET	49830	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:27.134615898 CET	42876	49830	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:27.134685993 CET	49830	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:27.255007029 CET	42876	49830	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:28.747380972 CET	42876	49830	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:28.747548103 CET	49830	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:29.910415888 CET	49830	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:29.911108017 CET	49836	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:30.030244112 CET	42876	49830	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:30.030664921 CET	42876	49836	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:30.030838966 CET	49836	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:30.031254053 CET	49836	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:30.150857925 CET	42876	49836	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:30.150943995 CET	49836	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:30.272675991 CET	42876	49836	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:55.747067928 CET	42876	49836	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:55.747256041 CET	49836	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:56.832510948 CET	49836	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:56.833472967 CET	49893	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:56.958031893 CET	42876	49836	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:56.959407091 CET	42876	49893	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:56.959578991 CET	49893	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:56.960211039 CET	49893	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:57.080558062 CET	42876	49893	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:57.080717087 CET	49893	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:57.201023102 CET	42876	49893	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:58.698340893 CET	42876	49893	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:58.698414087 CET	49893	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:59.707443953 CET	49893	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:59.708323956 CET	49902	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:59.827261925 CET	42876	49893	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:59.827950954 CET	42876	49902	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:59.828015089 CET	49902	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:59.828732014 CET	49902	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:28:59.948293924 CET	42876	49902	147.185.221.18	192.168.2.4
Dec 25, 2024 19:28:59.948383093 CET	49902	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:00.068877935 CET	42876	49902	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:01.513051987 CET	42876	49902	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:01.513130903 CET	49902	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:02.468944073 CET	49902	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:02.469686031 CET	49909	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:02.595113039 CET	42876	49902	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:02.595918894 CET	42876	49909	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:02.596014023 CET	49909	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:02.596570969 CET	49909	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:02.716125965 CET	42876	49909	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:02.716202974 CET	49909	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:02.835932970 CET	42876	49909	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:04.337802887 CET	42876	49909	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:04.337964058 CET	49909	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:05.223046064 CET	49909	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:05.223824024 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:05.350986004 CET	42876	49909	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:05.351361990 CET	42876	49915	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:05.351458073 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:05.380948067 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:05.501697063 CET	42876	49915	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:05.501862049 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:05.622298002 CET	42876	49915	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:07.058984995 CET	42876	49915	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:07.059057951 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:07.892216921 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:07.893045902 CET	49921	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:08.223014116 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:08.417521954 CET	42876	49915	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:08.417562008 CET	42876	49921	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:08.417593002 CET	42876	49915	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:08.417670012 CET	49921	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:08.417689085 CET	49915	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:08.464793921 CET	49921	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:08.589237928 CET	42876	49921	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:08.589437962 CET	49921	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:08.712429047 CET	42876	49921	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:10.123673916 CET	42876	49921	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:10.123780966 CET	49921	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:10.895049095 CET	49921	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:10.896028996 CET	49927	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:11.014683962 CET	42876	49921	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:11.015831947 CET	42876	49927	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:11.015908003 CET	49927	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:11.059281111 CET	49927	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:11.180203915 CET	42876	49927	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:11.180324078 CET	49927	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:11.300105095 CET	42876	49927	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:12.016439915 CET	49927	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:12.136668921 CET	42876	49927	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:12.716073990 CET	42876	49927	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:12.718626022 CET	49927	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:13.441854000 CET	49927	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:13.442615032 CET	49933	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:13.561892986 CET	42876	49927	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:13.562675953 CET	42876	49933	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:13.562854052 CET	49933	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:13.563422918 CET	49933	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:13.683121920 CET	42876	49933	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:13.683348894 CET	49933	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:13.803303003 CET	42876	49933	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:15.272238970 CET	42876	49933	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:15.272313118 CET	49933	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:15.943768978 CET	49933	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:15.944791079 CET	49940	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:16.065109968 CET	42876	49933	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:16.066380024 CET	42876	49940	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:16.066462040 CET	49940	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:16.067194939 CET	49940	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:16.190677881 CET	42876	49940	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:16.190834045 CET	49940	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:16.317065001 CET	42876	49940	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:17.797691107 CET	49940	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:17.805912018 CET	42876	49940	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:17.805999041 CET	49940	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:17.922288895 CET	42876	49940	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:17.931510925 CET	42876	49940	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:18.427267075 CET	49947	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:18.552556992 CET	42876	49947	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:18.552649021 CET	49947	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:18.553373098 CET	49947	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:18.672979116 CET	42876	49947	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:18.673079967 CET	49947	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:18.792897940 CET	42876	49947	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:19.739100933 CET	49947	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:19.860609055 CET	42876	49947	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:20.274725914 CET	42876	49947	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:20.274945974 CET	49947	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:20.876914978 CET	49947	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:20.880093098 CET	49954	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:21.001068115 CET	42876	49947	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:21.004547119 CET	42876	49954	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:21.004722118 CET	49954	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:21.005336046 CET	49954	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:21.126358032 CET	42876	49954	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:21.126523972 CET	49954	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:21.246221066 CET	42876	49954	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:21.315622091 CET	49954	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:21.436168909 CET	42876	49954	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:22.699886084 CET	42876	49954	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:22.700602055 CET	49954	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:23.267182112 CET	49954	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:23.274355888 CET	49960	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:23.386976004 CET	42876	49954	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:23.393979073 CET	42876	49960	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:23.394071102 CET	49960	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:23.394831896 CET	49960	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:23.516133070 CET	42876	49960	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:23.516293049 CET	49960	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:23.636177063 CET	42876	49960	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:23.636305094 CET	49960	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:23.759087086 CET	42876	49960	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:25.090166092 CET	42876	49960	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:25.090245962 CET	49960	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:25.682310104 CET	49960	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:25.694852114 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:25.808872938 CET	42876	49960	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:25.821559906 CET	42876	49966	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:25.821664095 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:25.827889919 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:25.952162027 CET	42876	49966	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:25.952275991 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:26.071952105 CET	42876	49966	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:26.234384060 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:26.354419947 CET	42876	49966	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:27.542459011 CET	42876	49966	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:27.542548895 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:28.020212889 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:28.021101952 CET	49972	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:28.520056009 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:28.763843060 CET	42876	49966	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:28.763906002 CET	42876	49972	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:28.763997078 CET	49972	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:28.791785955 CET	42876	49966	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:28.791866064 CET	49966	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:28.796449900 CET	49972	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:28.916255951 CET	42876	49972	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:28.916325092 CET	49972	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:29.036083937 CET	42876	49972	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:29.140402079 CET	49972	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:29.459511042 CET	42876	49972	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:30.451019049 CET	42876	49972	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:30.452065945 CET	49972	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:30.895386934 CET	49972	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:30.896178961 CET	49977	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:31.015192986 CET	42876	49972	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:31.015835047 CET	42876	49977	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:31.015995026 CET	49977	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:31.016652107 CET	49977	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:31.136883020 CET	42876	49977	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:31.137366056 CET	49977	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:31.258167028 CET	42876	49977	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:31.258357048 CET	49977	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:31.378119946 CET	42876	49977	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:32.745718956 CET	42876	49977	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:32.745784998 CET	49977	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:33.179620028 CET	49977	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:33.184573889 CET	49983	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:33.301940918 CET	42876	49977	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:33.307308912 CET	42876	49983	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:33.307399988 CET	49983	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:33.308342934 CET	49983	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:33.428776979 CET	42876	49983	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:33.428957939 CET	49983	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:33.548743010 CET	42876	49983	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:35.027128935 CET	42876	49983	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:35.028096914 CET	49983	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:35.410903931 CET	49983	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:35.411725044 CET	49989	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:35.530481100 CET	42876	49983	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:35.531236887 CET	42876	49989	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:35.531425953 CET	49989	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:35.532167912 CET	49989	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:35.651735067 CET	42876	49989	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:35.652108908 CET	49989	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:35.772947073 CET	42876	49989	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:37.218472004 CET	42876	49989	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:37.218554020 CET	49989	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:37.590959072 CET	49989	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:37.591845989 CET	49995	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:37.711275101 CET	42876	49989	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:37.712058067 CET	42876	49995	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:37.712148905 CET	49995	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:37.713030100 CET	49995	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:37.832626104 CET	42876	49995	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:37.832693100 CET	49995	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:37.952902079 CET	42876	49995	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:39.433336020 CET	42876	49995	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:39.433445930 CET	49995	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:39.770334959 CET	49995	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:39.771485090 CET	50001	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:39.890135050 CET	42876	49995	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:39.891076088 CET	42876	50001	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:39.891170025 CET	50001	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:39.891897917 CET	50001	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:40.011838913 CET	42876	50001	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:40.011989117 CET	50001	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:40.133254051 CET	42876	50001	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:41.619585991 CET	42876	50001	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:41.619693995 CET	50001	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:41.942121983 CET	50001	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:41.943260908 CET	50007	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:42.066063881 CET	42876	50001	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:42.067428112 CET	42876	50007	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:42.067501068 CET	50007	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:42.069273949 CET	50007	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:42.194211960 CET	42876	50007	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:42.194314957 CET	50007	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:42.317612886 CET	42876	50007	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:42.317708969 CET	50007	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:42.444137096 CET	42876	50007	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:43.793791056 CET	42876	50007	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:43.793919086 CET	50007	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:44.098442078 CET	50007	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:44.099306107 CET	50013	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:44.224936008 CET	42876	50007	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:44.226025105 CET	42876	50013	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:44.226130009 CET	50013	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:44.227018118 CET	50013	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:44.353487015 CET	42876	50013	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:44.353620052 CET	50013	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:44.476831913 CET	42876	50013	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:45.965678930 CET	42876	50013	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:45.965801954 CET	50013	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:46.241379023 CET	50013	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:46.242198944 CET	50019	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:46.485534906 CET	42876	50013	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:46.485596895 CET	42876	50019	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:46.485688925 CET	50019	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:46.487973928 CET	50019	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:46.613872051 CET	42876	50019	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:46.613943100 CET	50019	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:46.733654976 CET	42876	50019	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:48.185944080 CET	42876	50019	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:48.186033010 CET	50019	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:48.494164944 CET	50019	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:48.503763914 CET	50024	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:48.617722988 CET	42876	50019	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:48.628130913 CET	42876	50024	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:48.628325939 CET	50024	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:48.630909920 CET	50024	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:48.757333994 CET	42876	50024	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:48.757415056 CET	50024	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:48.879275084 CET	42876	50024	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:50.340990067 CET	42876	50024	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:50.341058016 CET	50024	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:50.582756996 CET	50024	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:50.583821058 CET	50030	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:50.702500105 CET	42876	50024	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:50.703444004 CET	42876	50030	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:50.703543901 CET	50030	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:50.710170031 CET	50030	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:50.830476046 CET	42876	50030	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:50.830557108 CET	50030	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:50.950478077 CET	42876	50030	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:52.391443014 CET	42876	50030	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:52.391518116 CET	50030	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:52.640973091 CET	50030	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:52.641839981 CET	50036	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:52.760608912 CET	42876	50030	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:52.761396885 CET	42876	50036	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:52.761486053 CET	50036	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:52.763222933 CET	50036	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:52.883050919 CET	42876	50036	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:52.883119106 CET	50036	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:53.003524065 CET	42876	50036	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:54.484859943 CET	42876	50036	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:54.484941006 CET	50036	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:54.718832016 CET	50036	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:54.737849951 CET	50040	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:54.839456081 CET	42876	50036	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:54.857610941 CET	42876	50040	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:54.857691050 CET	50040	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:54.859951973 CET	50040	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:54.980597019 CET	42876	50040	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:54.980655909 CET	50040	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:55.104891062 CET	42876	50040	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:56.608093023 CET	42876	50040	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:56.608190060 CET	50040	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:56.811619043 CET	50040	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:56.818912983 CET	50046	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:56.935374022 CET	42876	50040	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:56.941720963 CET	42876	50046	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:56.941781998 CET	50046	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:56.943978071 CET	50046	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:57.067709923 CET	42876	50046	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:57.067761898 CET	50046	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:57.188412905 CET	42876	50046	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:58.729470968 CET	42876	50046	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:58.729643106 CET	50046	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:58.910953999 CET	50046	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:58.911736965 CET	50051	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:59.033601999 CET	42876	50046	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:59.034288883 CET	42876	50051	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:59.034370899 CET	50051	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:59.035177946 CET	50051	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:59.154750109 CET	42876	50051	147.185.221.18	192.168.2.4
Dec 25, 2024 19:29:59.154856920 CET	50051	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:29:59.279674053 CET	42876	50051	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:00.716459036 CET	42876	50051	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:00.718502045 CET	50051	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:00.898472071 CET	50051	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:00.932959080 CET	50054	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:01.023576021 CET	42876	50051	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:01.059310913 CET	42876	50054	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:01.059405088 CET	50054	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:01.060620070 CET	50054	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:01.187036991 CET	42876	50054	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:01.187267065 CET	50054	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:01.363101006 CET	42876	50054	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:02.809235096 CET	42876	50054	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:02.809349060 CET	50054	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:03.001694918 CET	50054	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:03.015758038 CET	50055	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:03.121696949 CET	42876	50054	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:03.135570049 CET	42876	50055	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:03.135762930 CET	50055	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:03.136416912 CET	50055	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:03.258434057 CET	42876	50055	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:03.258511066 CET	50055	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:03.385031939 CET	42876	50055	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:04.862852097 CET	42876	50055	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:04.862931967 CET	50055	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:05.020344973 CET	50055	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:05.021505117 CET	50056	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:05.141838074 CET	42876	50055	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:05.141916037 CET	42876	50056	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:05.142013073 CET	50056	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:05.144404888 CET	50056	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:05.264575005 CET	42876	50056	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:05.264653921 CET	50056	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:05.384699106 CET	42876	50056	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:05.384843111 CET	50056	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:05.506243944 CET	42876	50056	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:06.841013908 CET	42876	50056	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:06.841113091 CET	50056	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:06.989696980 CET	50056	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:06.990580082 CET	50057	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:07.110707045 CET	42876	50056	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:07.113493919 CET	42876	50057	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:07.113579988 CET	50057	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:07.114444017 CET	50057	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:07.235760927 CET	42876	50057	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:07.235896111 CET	50057	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:07.362510920 CET	42876	50057	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:08.838121891 CET	42876	50057	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:08.838192940 CET	50057	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:08.985681057 CET	50057	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:09.020529032 CET	50058	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:09.110634089 CET	42876	50057	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:09.145365953 CET	42876	50058	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:09.145488024 CET	50058	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:09.158427954 CET	50058	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:09.280951023 CET	42876	50058	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:09.281075954 CET	50058	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:09.400746107 CET	42876	50058	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:10.869486094 CET	42876	50058	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:10.869674921 CET	50058	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:10.992216110 CET	50058	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:10.993175983 CET	50059	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:11.114731073 CET	42876	50058	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:11.115423918 CET	42876	50059	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:11.115600109 CET	50059	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:11.116363049 CET	50059	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:11.236062050 CET	42876	50059	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:11.236133099 CET	50059	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:11.360347986 CET	42876	50059	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:12.810055971 CET	42876	50059	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:12.810231924 CET	50059	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:12.926644087 CET	50059	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:12.927694082 CET	50060	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:13.046268940 CET	42876	50059	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:13.047355890 CET	42876	50060	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:13.047418118 CET	50060	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:13.048197031 CET	50060	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:13.167695999 CET	42876	50060	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:13.167753935 CET	50060	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:13.287379026 CET	42876	50060	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:14.777482033 CET	42876	50060	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:14.777616024 CET	50060	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:14.895977020 CET	50060	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:14.897079945 CET	50061	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:15.021176100 CET	42876	50060	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:15.022219896 CET	42876	50061	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:15.022294998 CET	50061	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:15.023097038 CET	50061	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:15.144057035 CET	42876	50061	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:15.144117117 CET	50061	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:15.263767004 CET	42876	50061	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:15.803404093 CET	50061	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:15.923127890 CET	42876	50061	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:16.760669947 CET	42876	50061	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:16.760766029 CET	50061	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:16.865807056 CET	50061	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:16.893740892 CET	50062	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:16.987735033 CET	42876	50061	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:17.016210079 CET	42876	50062	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:17.016279936 CET	50062	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:17.017306089 CET	50062	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:17.136929989 CET	42876	50062	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:17.136992931 CET	50062	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:17.257704973 CET	42876	50062	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:18.747339964 CET	42876	50062	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:18.747395039 CET	50062	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:18.848587036 CET	50062	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:18.849488020 CET	50063	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:18.968439102 CET	42876	50062	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:18.969208002 CET	42876	50063	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:18.969286919 CET	50063	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:18.970099926 CET	50063	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:19.089754105 CET	42876	50063	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:19.089876890 CET	50063	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:19.209542990 CET	42876	50063	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:20.698482990 CET	42876	50063	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:20.698606014 CET	50063	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:20.791939974 CET	50063	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:20.792809010 CET	50064	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:21.063690901 CET	42876	50063	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:21.063735962 CET	42876	50064	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:21.063805103 CET	50064	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:21.064635038 CET	50064	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:21.185151100 CET	42876	50064	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:21.185276031 CET	50064	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:21.307066917 CET	42876	50064	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:22.795747995 CET	42876	50064	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:22.795850039 CET	50064	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:22.879815102 CET	50064	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:22.880682945 CET	50065	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:22.999541998 CET	42876	50064	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:23.000361919 CET	42876	50065	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:23.000449896 CET	50065	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:23.067903042 CET	50065	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:23.189982891 CET	42876	50065	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:23.190052986 CET	50065	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:23.309849977 CET	42876	50065	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:24.685468912 CET	42876	50065	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:24.685549021 CET	50065	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:24.780563116 CET	50065	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:24.789299011 CET	50066	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:24.900321007 CET	42876	50065	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:24.909077883 CET	42876	50066	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:24.909156084 CET	50066	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:24.909725904 CET	50066	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:25.029618025 CET	42876	50066	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:25.029670954 CET	50066	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:25.155107975 CET	42876	50066	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:26.607614994 CET	42876	50066	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:26.607677937 CET	50066	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:26.676701069 CET	50066	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:26.677501917 CET	50067	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:26.799448967 CET	42876	50066	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:26.799689054 CET	42876	50067	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:26.799762964 CET	50067	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:26.800683022 CET	50067	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:26.920840025 CET	42876	50067	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:26.920949936 CET	50067	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:27.041131020 CET	42876	50067	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:28.484046936 CET	42876	50067	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:28.484222889 CET	50067	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:28.561431885 CET	50067	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:28.576141119 CET	50068	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:28.681051016 CET	42876	50067	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:28.696090937 CET	42876	50068	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:28.696192980 CET	50068	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:28.697052002 CET	50068	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:28.816670895 CET	42876	50068	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:28.816797018 CET	50068	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:28.936525106 CET	42876	50068	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:30.389622927 CET	42876	50068	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:30.389695883 CET	50068	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:30.471415997 CET	50068	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:30.494298935 CET	50069	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:30.598067999 CET	42876	50068	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:30.620721102 CET	42876	50069	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:30.620810032 CET	50069	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:30.621315002 CET	50069	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:30.744395018 CET	42876	50069	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:30.744597912 CET	50069	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:30.864299059 CET	42876	50069	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:32.312088966 CET	42876	50069	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:32.312180996 CET	50069	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:32.383297920 CET	50069	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:32.384032011 CET	50070	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:32.504101992 CET	42876	50069	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:32.504766941 CET	42876	50070	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:32.504851103 CET	50070	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:32.505467892 CET	50070	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:32.631942987 CET	42876	50070	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:32.632066011 CET	50070	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:32.756716967 CET	42876	50070	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:34.204214096 CET	42876	50070	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:34.204293966 CET	50070	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:34.270486116 CET	50070	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:34.271218061 CET	50071	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:34.394553900 CET	42876	50070	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:34.395349979 CET	42876	50071	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:34.395488977 CET	50071	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:34.395945072 CET	50071	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:34.517010927 CET	42876	50071	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:34.517062902 CET	50071	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:34.636671066 CET	42876	50071	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:36.105887890 CET	42876	50071	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:36.105956078 CET	50071	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:36.161546946 CET	50071	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:36.163137913 CET	50072	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:36.281872034 CET	42876	50071	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:36.283756018 CET	42876	50072	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:36.283854961 CET	50072	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:36.284419060 CET	50072	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:36.405853987 CET	42876	50072	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:36.406094074 CET	50072	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:36.526195049 CET	42876	50072	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:38.008826971 CET	42876	50072	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:38.010580063 CET	50072	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:38.067415953 CET	50072	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:38.068351984 CET	50073	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:38.187817097 CET	42876	50072	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:38.188688040 CET	42876	50073	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:38.188802004 CET	50073	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:38.189589977 CET	50073	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:38.309433937 CET	42876	50073	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:38.310488939 CET	50073	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:38.433751106 CET	42876	50073	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:39.915257931 CET	42876	50073	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:39.915350914 CET	50073	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:39.960961103 CET	50073	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:39.961606026 CET	50074	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:40.086393118 CET	42876	50073	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:40.087043047 CET	42876	50074	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:40.087131977 CET	50074	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:40.087676048 CET	50074	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:40.207202911 CET	42876	50074	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:40.207293987 CET	50074	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:40.328469992 CET	42876	50074	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:41.825644970 CET	42876	50074	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:41.825740099 CET	50074	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:41.880774975 CET	50074	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:41.887458086 CET	50075	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:42.000417948 CET	42876	50074	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:42.007306099 CET	42876	50075	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:42.007406950 CET	50075	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:42.007971048 CET	50075	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:42.129209995 CET	42876	50075	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:42.129298925 CET	50075	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:42.249191046 CET	42876	50075	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:43.701751947 CET	42876	50075	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:43.701885939 CET	50075	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:43.740753889 CET	50075	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:43.767869949 CET	50076	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:43.860388994 CET	42876	50075	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:43.887625933 CET	42876	50076	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:43.887712955 CET	50076	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:43.888278008 CET	50076	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:44.008791924 CET	42876	50076	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:44.008872032 CET	50076	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:44.131422997 CET	42876	50076	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:45.624238014 CET	42876	50076	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:45.624315977 CET	50076	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:45.661259890 CET	50076	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:45.662307978 CET	50077	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:45.780967951 CET	42876	50076	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:45.782135010 CET	42876	50077	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:45.782239914 CET	50077	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:45.782984018 CET	50077	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:45.902703047 CET	42876	50077	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:45.902822018 CET	50077	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:46.022564888 CET	42876	50077	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:47.483817101 CET	42876	50077	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:47.483891010 CET	50077	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:47.524580002 CET	50077	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:47.527626991 CET	50078	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:47.644474030 CET	42876	50077	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:47.647231102 CET	42876	50078	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:47.647315979 CET	50078	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:47.647823095 CET	50078	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:47.769232988 CET	42876	50078	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:47.769320011 CET	50078	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:47.889705896 CET	42876	50078	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:48.135698080 CET	50078	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:48.256395102 CET	42876	50078	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:49.391014099 CET	42876	50078	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:49.391093016 CET	50078	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:49.427361012 CET	50078	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:49.428025007 CET	50079	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:49.547271013 CET	42876	50078	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:49.547929049 CET	42876	50079	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:49.548017979 CET	50079	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:49.548518896 CET	50079	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:49.668415070 CET	42876	50079	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:49.668487072 CET	50079	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:49.789911032 CET	42876	50079	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:51.248910904 CET	42876	50079	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:51.249010086 CET	50079	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:51.286247015 CET	50079	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:51.287008047 CET	50080	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:51.406869888 CET	42876	50079	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:51.407605886 CET	42876	50080	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:51.407692909 CET	50080	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:51.409873009 CET	50080	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:51.529508114 CET	42876	50080	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:51.529567957 CET	50080	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:51.652434111 CET	42876	50080	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:53.169272900 CET	42876	50080	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:53.169394970 CET	50080	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:53.213754892 CET	50080	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:53.214447975 CET	50081	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:53.338026047 CET	42876	50080	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:53.338664055 CET	42876	50081	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:53.338768959 CET	50081	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:53.339639902 CET	50081	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:53.459193945 CET	42876	50081	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:53.459286928 CET	50081	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:53.579046965 CET	42876	50081	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:55.062304020 CET	42876	50081	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:55.062550068 CET	50081	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:55.108967066 CET	50081	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:55.112567902 CET	50082	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:55.228645086 CET	42876	50081	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:55.232264996 CET	42876	50082	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:55.232332945 CET	50082	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:55.232783079 CET	50082	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:55.352405071 CET	42876	50082	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:55.352658987 CET	50082	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:55.472270966 CET	42876	50082	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:56.291850090 CET	50082	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:56.416831970 CET	42876	50082	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:56.937350035 CET	42876	50082	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:56.937442064 CET	50082	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:56.989393950 CET	50082	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:56.990153074 CET	50083	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:57.110193968 CET	42876	50082	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:57.110802889 CET	42876	50083	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:57.110865116 CET	50083	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:57.111373901 CET	50083	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:57.231723070 CET	42876	50083	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:57.231816053 CET	50083	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:57.351473093 CET	42876	50083	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:58.826746941 CET	42876	50083	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:58.827635050 CET	50083	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:58.867729902 CET	50083	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:58.868509054 CET	50084	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:58.987364054 CET	42876	50083	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:58.988040924 CET	42876	50084	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:58.988122940 CET	50084	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:58.988653898 CET	50084	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:59.108314991 CET	42876	50084	147.185.221.18	192.168.2.4
Dec 25, 2024 19:30:59.108366966 CET	50084	42876	192.168.2.4	147.185.221.18
Dec 25, 2024 19:30:59.228343010 CET	42876	50084	147.185.221.18	192.168.2.4
Dec 25, 2024 19:31:00.670743942 CET	42876	50084	147.185.221.18	192.168.2.4
Dec 25, 2024 19:31:00.671606064 CET	50084	42876	192.168.2.4	147.185.221.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 19:27:00.367744923 CET	64567	53	192.168.2.4	1.1.1.1
Dec 25, 2024 19:27:00.636287928 CET	53	64567	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 25, 2024 19:27:00.367744923 CET	192.168.2.4	1.1.1.1	0x70fa	Standard query (0)	company-telecom.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 25, 2024 19:27:00.636287928 CET	1.1.1.1	192.168.2.4	0x70fa	No error (0)	company-telecom.gl.at.ply.gg		147.185.221.18	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:26:53
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\gReXLT7XjR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gReXLT7XjR.exe"
Imagebase:	0x510000
File size:	95'232 bytes
MD5 hash:	4951D592FAC59EF8005596D2AF5D116B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1679600607.0000000003B08000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1661776984.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:26:54
Start date:	25/12/2024
Path:	C:\Windows\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\server.exe"
Imagebase:	0xec0000
File size:	95'232 bytes
MD5 hash:	4951D592FAC59EF8005596D2AF5D116B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.4112787916.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Windows\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Windows\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\server.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Windows\server.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Windows\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Windows\server.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:26:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:26:56
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:26:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall delete allowedprogram "C:\Windows\server.exe"
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:26:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:26:56
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:26:56
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:27:07
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe"
Imagebase:	0x4c0000
File size:	95'232 bytes
MD5 hash:	4951D592FAC59EF8005596D2AF5D116B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:27:09
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe"
Imagebase:	0xc90000
File size:	95'232 bytes
MD5 hash:	4951D592FAC59EF8005596D2AF5D116B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:27:16
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe"
Imagebase:	0xbd0000
File size:	95'232 bytes
MD5 hash:	4951D592FAC59EF8005596D2AF5D116B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:27:26
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Imagebase:	0x3b0000
File size:	95'232 bytes
MD5 hash:	4951D592FAC59EF8005596D2AF5D116B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 04CE4298 Relevance: 7.0, Strings: 4, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 04CE4C24
2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: @$\Ok$|t$2k
API String ID: 0-3656409254
Opcode ID: 65d5e8ccf12653f250414935c3c27269f37ff51c654f8fd27217c457bfe63e62
Instruction ID: e86238d241b5b44c8b1e18b9f8bbc87f26b05729757e49f6c7290a2fb34188a5
Opcode Fuzzy Hash: 65d5e8ccf12653f250414935c3c27269f37ff51c654f8fd27217c457bfe63e62
Instruction Fuzzy Hash: E9233B74A01228CFDB28EF35D994BADB7B2BB48308F1041E9D949677A4DB359E84CF50

Function 04CE4287 Relevance: 6.8, Strings: 4, Instructions: 1751
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: 1b4140cfe20f2ff1242769ffe0f0743546408698b11ffafbd2b517ddbce1a6a0
Instruction ID: 3416bd33baa4a9e1280cc909b641c9d2ba84dad14a7dcac647ca0bb82b7bbf1a
Opcode Fuzzy Hash: 1b4140cfe20f2ff1242769ffe0f0743546408698b11ffafbd2b517ddbce1a6a0
Instruction Fuzzy Hash: C5133B74A01228CFDB28EF35DA94BA9B7B2FB48308F1041E9D949677A4DB355E84CF50

Function 04CE3441 Relevance: 5.0, Strings: 4, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`O, xrefs: 04CE3453
HQ, xrefs: 04CE349B
P, xrefs: 04CE3476
XR, xrefs: 04CE34C0

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: HQ$XR$`O$P
API String ID: 0-917331388
Opcode ID: 1c573115af068f70e430188315939a3ef2afd024abcc0630b2213017a693da61
Instruction ID: 8c25df31f7a8e2a14f408119241986e299559b03037e22f31258be9bd9b17eb7
Opcode Fuzzy Hash: 1c573115af068f70e430188315939a3ef2afd024abcc0630b2213017a693da61
Instruction Fuzzy Hash: 3201D2B4606246EFC714FB38D60946D77E1EFC430DB10982CE24587B99EF3888888B93

Function 04CE3802 Relevance: 3.0, Strings: 2, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 04CE3C2E
\Ok, xrefs: 04CE3885

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: 8987bf5cc5cee2a957da94c3884897c27a574276bf78e23f120870cc35e9bf48
Instruction ID: 6094b0009313648997ff02d319a1f010ecffd1419cafa8bb3c3ac816121b61b3
Opcode Fuzzy Hash: 8987bf5cc5cee2a957da94c3884897c27a574276bf78e23f120870cc35e9bf48
Instruction Fuzzy Hash: 20324A34A00218CFCB28EF75D955BECB7B2AF48308F1045A9D509AB7A4DB399E85CF50

Function 04CE00B8 Relevance: 2.6, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 04CE01A8
2k, xrefs: 04CE0154

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: 2k$2k
API String ID: 0-107389494
Opcode ID: 1277dfcdf61ddc77fc0da6ff302bc5a06765267b9d4fc33162a18a739286f07d
Instruction ID: 0f555f34eb6ed18d07f55cef58f48049df4439b842dbcadd7c2a94dc495de76f
Opcode Fuzzy Hash: 1277dfcdf61ddc77fc0da6ff302bc5a06765267b9d4fc33162a18a739286f07d
Instruction Fuzzy Hash: 7331D6316043409FC715A7759852AAE3BA79B82358B2485BEE001DF3D2CF7A4C89C792

Function 04CE0118 Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 04CE01A8
2k, xrefs: 04CE0154

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: 2k$2k
API String ID: 0-107389494
Opcode ID: 42bc8e80d877f83967041ef085fcd41edf0b2c0a838a9d8c2924e08786ada3e0
Instruction ID: f5c84a36861673d9afe6e7eb430ba39b102c09773efcc21a17be28dbd64c817d
Opcode Fuzzy Hash: 42bc8e80d877f83967041ef085fcd41edf0b2c0a838a9d8c2924e08786ada3e0
Instruction Fuzzy Hash: 2B1106356042004FC318B739A4526BA33AB9BC239C32455BED001EB396CFAE4C89C7E2

Function 00DFAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DFAB25

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32fb3f685f420239258dfa96e0eb11b981bf3ef7527927e64733fa1f914e0657
Instruction ID: 9f48f1959a40a232cb25fbd27be5b8d47e835429bf453128a454f18811d9c8c1
Opcode Fuzzy Hash: 32fb3f685f420239258dfa96e0eb11b981bf3ef7527927e64733fa1f914e0657
Instruction Fuzzy Hash: E0319EB1504344AFE722CF25DC84B66BBF8EF05310F08889AE9898B652D375E808CB71

Function 00DFB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DFB0DD

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 506b1dd846e40fac1ac562803928eaba00c30da8f5e11ec796014bb5b46c44e8
Instruction ID: 6b3aed08b612a382e5123193672f0ad14afb3489de82e28abed49ac6a8d9e380
Opcode Fuzzy Hash: 506b1dd846e40fac1ac562803928eaba00c30da8f5e11ec796014bb5b46c44e8
Instruction Fuzzy Hash: 1A31A1B15093846FE721CB25DD55BA6BFF8EF06310F08849AE944CB292D374A908CB72

Function 00DFA6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00DFA77E

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 00c9c5a36ca0cb7ee851c09fd5fe8661ffb516304afef2c2c7de851f221f0a75
Instruction ID: b72b95159fab9d0270b5527adbada1806ab6ecfaaf547f1d3b29934f122f8ab2
Opcode Fuzzy Hash: 00c9c5a36ca0cb7ee851c09fd5fe8661ffb516304afef2c2c7de851f221f0a75
Instruction Fuzzy Hash: 8D31807504D3C06FD3138B259C61B61BFB4EF47610F0A44DBE884CB6A3D2296919D7B2

Function 00DFAE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,E8FD579D,00000000,00000000,00000000,00000000), ref: 00DFAF0D

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bcc89e11c35ec6c942e8483832a9f7874c4a933d0e09935eb8f2ef7c9ff0ec2c
Instruction ID: be2008b2711eb6ec9581fcbb71bb3ac5f0eef182802dfa483591939d94515281
Opcode Fuzzy Hash: bcc89e11c35ec6c942e8483832a9f7874c4a933d0e09935eb8f2ef7c9ff0ec2c
Instruction Fuzzy Hash: 3B21E5B2408380AFE722CF55DD44F96BFB8EF06314F09849AE9849F153D234A908CB71

Function 00DFAAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DFAB25

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 942de46eccaa917009c6a0be8abddc0ddb8a668fb95ba5d18525dffb7fd47316
Instruction ID: 19b3a43f00d7ab1db8933aa399cf7021ff9f4843d232d72991ec834dfd17b0a9
Opcode Fuzzy Hash: 942de46eccaa917009c6a0be8abddc0ddb8a668fb95ba5d18525dffb7fd47316
Instruction Fuzzy Hash: 402181B1500604AFE721CF69DD45B66FBE8EF08310F188969EA498B651D375E908CB72

Function 00DFA9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00DFAA44

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0db70d0015ef123d35152da873a5cddda4340b193f4285396f5ab61330bc58e1
Instruction ID: 55ca3e58b253c62dca2ea628adf1581a79ba2629088ff3a190a7f0e07e3888bc
Opcode Fuzzy Hash: 0db70d0015ef123d35152da873a5cddda4340b193f4285396f5ab61330bc58e1
Instruction Fuzzy Hash: A52148A540E7C49FD7138B259C64A61BFB4AF57624F0E80DBD9848F6A3D268580CCB72

Function 00DFAC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,E8FD579D,00000000,00000000,00000000,00000000), ref: 00DFACBD

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 365437948556b55fbee4712358620fecfcd146f2c75e21685ac2a89ebee4b5a9
Instruction ID: e96df6b2fb85ab621c14c63c99c29d4d81d8118c38ffb31e35ccee4b2486cf8f
Opcode Fuzzy Hash: 365437948556b55fbee4712358620fecfcd146f2c75e21685ac2a89ebee4b5a9
Instruction Fuzzy Hash: 582108B54083846FE7128B15DC40BA2BFBCDF46314F0884D6E9848F293D264AD09C771

Function 00DFB06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DFB0DD

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6612186a3595098f6baf6c1836ddbf6cf0ef3c47e857d0ceedcf04f6b956c532
Instruction ID: f14f5fafeeb42a9f50d9845aa136e42413341717dd6b237c415f2da666a71b49
Opcode Fuzzy Hash: 6612186a3595098f6baf6c1836ddbf6cf0ef3c47e857d0ceedcf04f6b956c532
Instruction Fuzzy Hash: 402183716002449FE720DF29DD45BA6FBE8EF09324F18C86AEE458B681D775E908CA71

Function 00DFA61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 00DFA690

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 784c0ead42aece7c142c280c14566f88f208b9d1516a2e2196e12f7f55f1c0fa
Instruction ID: 8e32a355dfbdcadf9df77ea82bd78c7714622de8dabcada5bcc35b72f111bfe8
Opcode Fuzzy Hash: 784c0ead42aece7c142c280c14566f88f208b9d1516a2e2196e12f7f55f1c0fa
Instruction Fuzzy Hash: 79213B7150D7C45FDB138B259C94652BFB4DF07220F0E84DBD9849F1A3D2695908CBB2

Function 00DFA573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFA5DE

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7fd8cfca29ed0773a3fa63dddbb20976c1ca0dd8264cedc9bc62ec28587ed68d
Instruction ID: af8221a747e22b474ee5b23cce1b660416a2229c88166d459bec490cc67ebbe6
Opcode Fuzzy Hash: 7fd8cfca29ed0773a3fa63dddbb20976c1ca0dd8264cedc9bc62ec28587ed68d
Instruction Fuzzy Hash: 0411A571408780AFDB228F54DC44A62FFF4EF4A310F08889AEA858B552D235A818DB71

Function 00DFAEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,E8FD579D,00000000,00000000,00000000,00000000), ref: 00DFAF0D

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 666ac18b2424afb21015c9b090a8535a371d63548170934ec84afbd79b88c4bd
Instruction ID: c3396156e2b1701f41d1d7840ee61c33ec61959eef69ad53e0af9e4622cde8aa
Opcode Fuzzy Hash: 666ac18b2424afb21015c9b090a8535a371d63548170934ec84afbd79b88c4bd
Instruction Fuzzy Hash: A71193B1500604AEE7218F59DD44BA6BBE8EF04314F18C86AEA499A651D275A5088BB2

Function 00DFB424 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00DFB480

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: b13677a3e197ab6349574b3ee12883fa6bd3aa37b0094a4a35c4903c0980768b
Instruction ID: 3f9342dee9aa5cd5788b4422c5cb5b22f9caf63f2782cde03f5e5612305ebb11
Opcode Fuzzy Hash: b13677a3e197ab6349574b3ee12883fa6bd3aa37b0094a4a35c4903c0980768b
Instruction Fuzzy Hash: 991181715093849FD711CF25DD54B52BFA89F06224F0984ABED45CB252D264A908CB61

Function 00DFAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,E8FD579D,00000000,00000000,00000000,00000000), ref: 00DFACBD

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 728c24ba4ca0a858cd0d2ee9805df207aa3ce1049976192e787a58304bdc4ace
Instruction ID: f503b5207c9d3301ce2b2586bfc71a1053145778a59dcdd67ec5705774e6e834
Opcode Fuzzy Hash: 728c24ba4ca0a858cd0d2ee9805df207aa3ce1049976192e787a58304bdc4ace
Instruction Fuzzy Hash: 040126B5500304AFE720CB09DD84BB6F7A8DF04724F18C466EE098B741D374E8488AB2

Function 00DFB446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00DFB480

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 0eec9dcac361b8db16fe724dacf97a7b38d341c801b4095b2b762fc081790048
Instruction ID: cb8c55ace03e0c1e301e19e030e566f49a1d41e0559556672ba171732d7ee5a9
Opcode Fuzzy Hash: 0eec9dcac361b8db16fe724dacf97a7b38d341c801b4095b2b762fc081790048
Instruction Fuzzy Hash: CA016D716002088FDB10CF19DA84766BBE8DF04224F18C4ABDE49CB652D379E844CAB1

Function 00DFA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFA5DE

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef46f943a155842bc395a52e12d4df7430d8b8de92ae7a5d45e137c688d267d3
Instruction ID: fbf4d0bae7b97d88b78463190f56fcaeed5208049e24d39c5a2b51418a2004cf
Opcode Fuzzy Hash: ef46f943a155842bc395a52e12d4df7430d8b8de92ae7a5d45e137c688d267d3
Instruction Fuzzy Hash: 8101A1724007449FDB208F59D944B62FFE0EF08710F08C8AADE898A651D336E414DF72

Function 00DFA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00DFA77E

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 88784245585e5ea71dda396716bba30904db3d7d781a876143265a188e50185d
Instruction ID: fbd8883aefd79b821f9cf2028dac0f94dbe42653a95e459d25a164287ce4635a
Opcode Fuzzy Hash: 88784245585e5ea71dda396716bba30904db3d7d781a876143265a188e50185d
Instruction Fuzzy Hash: 7A01A271500201ABD350DF1ACD46B66FBE8FB88A20F148159ED089BB41E731F915CBE6

Function 00DFA65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00DFA690

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 185a0959b8a96ea7dd174df26d6ff6ead73d52fd0ebdc40ec3f77317831fe0d1
Instruction ID: 85f663bf77bc122e491c7552d327092603713341b1e41ed5ad8415c04fee7bd2
Opcode Fuzzy Hash: 185a0959b8a96ea7dd174df26d6ff6ead73d52fd0ebdc40ec3f77317831fe0d1
Instruction Fuzzy Hash: 1C01F2B15006048FDB10CF09D884765FBE4DF04320F1DC4AACE498F252D279E804CEB2

Function 00DFAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DFAA44

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 586443cc4d1fe18098b9ec0a4f0de64c18ad4b9f94d6b9650c0d0a4c16cc375a
Instruction ID: c47202655a1dde73f78be8c1536cf9c46166b8fd388223dfbceed5de9f2aa565
Opcode Fuzzy Hash: 586443cc4d1fe18098b9ec0a4f0de64c18ad4b9f94d6b9650c0d0a4c16cc375a
Instruction Fuzzy Hash: 00F0A4755006489FDB208F09D984765FBE4DF04724F18C0AADE494B752D279E948CEB2

Function 04CE39BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE3C2E

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: 213c3f85d90077f76330f8ec19c184b09116d9e09007677940b6eb7c49ef1937
Instruction ID: ad9e36aaf35649d5c1b499b665cb705c0ec5d82c36e4a0b14e495a2de865664a
Opcode Fuzzy Hash: 213c3f85d90077f76330f8ec19c184b09116d9e09007677940b6eb7c49ef1937
Instruction Fuzzy Hash: 3481BF30A002188FCB18EFB5C945BECB7B2AF44308F1041A9D50AAB7A4DB799E85CF51

Function 04CE3B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE3C2E

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: f582c9eb7c8ed0dd0e088e944dd934cd6ca547a11e4108418c2f4146dd97fbac
Instruction ID: 1985d066a5ae1d1b871663753dcc42dcc6f2326b7ac9edd74a9d104a21e3b249
Opcode Fuzzy Hash: f582c9eb7c8ed0dd0e088e944dd934cd6ca547a11e4108418c2f4146dd97fbac
Instruction Fuzzy Hash: 9B418134A00258CFDB14EFBAC955BECB7B2BF44308F1041AAD405AB694DB795E85CF61

Function 00DFAB7C Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00DFABF0

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5e51b5a07a01098e7c800b32a63dcb3efe45b8131ecad93a9ada7c083da40f08
Instruction ID: f00b5386ee9a3af5b33547116ea61c5b382beee0167977fc7038cb63f3ea5fa9
Opcode Fuzzy Hash: 5e51b5a07a01098e7c800b32a63dcb3efe45b8131ecad93a9ada7c083da40f08
Instruction Fuzzy Hash: F521C2B55097C49FD7128B25DC95652BFB8EF07220F0D84DBDD858F2A3D2645908CB72

Function 00DFABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00DFABF0

Memory Dump Source

Source File: 00000000.00000002.1679109040.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_gReXLT7XjR.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 19077c13cba3829737abdb22f642d2584455a67fd8c08386e4f7e08db567fc0c
Instruction ID: eeffce8952219cfde3cb093ae0fb688ba882001796f00f673efa727663e777e5
Opcode Fuzzy Hash: 19077c13cba3829737abdb22f642d2584455a67fd8c08386e4f7e08db567fc0c
Instruction Fuzzy Hash: AB0184755042448FDB108F19D985765FBE4DF04320F1CC4AADE498F655D279D844CAB2

Function 04CE3520 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada8e2424057887110807636d7ff10dc4e6b09ec47c28ee25576b3ee4b0035aa
Instruction ID: dfb9b75943bd33f13424417035e9c1130cf21c35f7a62599b2b6d88c02587eca
Opcode Fuzzy Hash: ada8e2424057887110807636d7ff10dc4e6b09ec47c28ee25576b3ee4b0035aa
Instruction Fuzzy Hash: 0B310530B002118FC714BB7ADA117BE33A79B8820CF50443A950597BA4DF7CAD4A9BD1

Function 04CE0006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df6ee2811d64638e1305e366641cb97081a84f4395c868373c87f9ab2b84ddb
Instruction ID: 649c1ba59dfa919b8dce2af032ad43545e591ab9078144d361310d4443da0efc
Opcode Fuzzy Hash: 0df6ee2811d64638e1305e366641cb97081a84f4395c868373c87f9ab2b84ddb
Instruction Fuzzy Hash: E711E26540F3C15FD35387349C666813FB1AE13218B4A81DBD080CA5A7E26D0A4EC7A2

Function 04CE00A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f274fdec9fa08c887b9e4f49e73cc393161229510813042e1c35a761fc37be
Instruction ID: 65e6761b0d13c21d68781b81d56687546ffbd3c6a8db21c9f0b106c4b30b9ba7
Opcode Fuzzy Hash: c5f274fdec9fa08c887b9e4f49e73cc393161229510813042e1c35a761fc37be
Instruction Fuzzy Hash: F6F0C232A04304AFDB14DBB18C52BAE7B629F81324F24866EE541EB1C1DA765881C780

Function 00E10606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679220644.0000000000E10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fe5f21f4476b0952f21030b7a02ddba364190dc5b5210f61d977003eb8848b
Instruction ID: 5e96b0ccd23567a0e60ec41d22c6b930bd5ee7bb0493b416548a7ae2d4c9051d
Opcode Fuzzy Hash: 76fe5f21f4476b0952f21030b7a02ddba364190dc5b5210f61d977003eb8848b
Instruction Fuzzy Hash: 89E092B66006048BD750CF0AFC81452F7D8EB88630718C47FDC0D8BB01E235B508CEA5

Function 04CE36A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b431226819f01377d96b05dc1c9c67f59420ae9030fb16814ef54135c5a39e7e
Instruction ID: 7a8a9cb11d70513561f825ee2dbdf8903773ed0fffcb2a6694484f9e400ccccb
Opcode Fuzzy Hash: b431226819f01377d96b05dc1c9c67f59420ae9030fb16814ef54135c5a39e7e
Instruction Fuzzy Hash: 6BE0C230246395CFCB0A2B75A02442837B5AB4231A34004BFC5414B7A1DB3AA8C6CB50

Function 00DF23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679092600.0000000000DF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df2000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4f09d382ed54d04a59a414e43f069fe484dd2b2cdfada7acba86d2aaeb611c
Instruction ID: c127f02d9892454ab94cdb47d8f68ab9aa2b4347dc856c28bab7af61ac1137b1
Opcode Fuzzy Hash: 0d4f09d382ed54d04a59a414e43f069fe484dd2b2cdfada7acba86d2aaeb611c
Instruction Fuzzy Hash: 9AD02E392006C04FD3238A0CC2A5FA537D4AB60708F4B84FAA800CB763C7A8D880C220

Function 00DF23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679092600.0000000000DF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df2000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ded9e5951d81df3f9f38446e209e2e171950dacb38fbc38d29f9d33bdcb9ce0
Instruction ID: fd99f6079fa920f4095bd79e71f33c35b98a1a3aba6c3ac11ca44f182859fd4c
Opcode Fuzzy Hash: 9ded9e5951d81df3f9f38446e209e2e171950dacb38fbc38d29f9d33bdcb9ce0
Instruction Fuzzy Hash: 4CD05E742006854FC725DB0CC2D4F6937D4AF40714F0A84ECAC108B762C7A9D8C4DA10

Non-executed Functions

Function 04CE44F1 Relevance: 6.6, Strings: 4, Instructions: 1624COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: aa75c52b11177fddadca1c179ac42d6baa6ea0d0f5aa009e64139f2ef1d6e57c
Instruction ID: be578ad06046956c394463fd847100161fca6e5a45406e0edabb3df2d68df396
Opcode Fuzzy Hash: aa75c52b11177fddadca1c179ac42d6baa6ea0d0f5aa009e64139f2ef1d6e57c
Instruction Fuzzy Hash: B2034C74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE4544 Relevance: 6.6, Strings: 4, Instructions: 1618COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: d8616eb244af821e9a474c9268100af014737fdce4bf3a8f2b194aa2a7c780df
Instruction ID: 86707985594bff85f24703ec407d2f7c1c21c3b19210593f8ee8b5d81109d0ad
Opcode Fuzzy Hash: d8616eb244af821e9a474c9268100af014737fdce4bf3a8f2b194aa2a7c780df
Instruction Fuzzy Hash: 0C033C74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE4630 Relevance: 6.6, Strings: 4, Instructions: 1579COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: bed89104ec891f1e1d40c19029cb65b0b0873f711bfbb995da67fa7a75a80c84
Instruction ID: 5731b12c9246f06ce46e424f86abf5516efbc65335645cb33b5d662fe09989e1
Opcode Fuzzy Hash: bed89104ec891f1e1d40c19029cb65b0b0873f711bfbb995da67fa7a75a80c84
Instruction Fuzzy Hash: E5034C74A01228CFDB28EF35D994BA9B7B2FB48308F1041E9D949677A4DB355E84CF50

Function 04CE470F Relevance: 6.5, Strings: 4, Instructions: 1544COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: fe6c136f7543192fe3db8e8bc9e9a3ab9ef6f77d2d0ab7681ab048cb53600775
Instruction ID: 13974d55f3327f545e48434ca823c1edefe5cdc7e900e4f9afb6eedcea4d4e7a
Opcode Fuzzy Hash: fe6c136f7543192fe3db8e8bc9e9a3ab9ef6f77d2d0ab7681ab048cb53600775
Instruction Fuzzy Hash: 0FF24C74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE47D4 Relevance: 6.5, Strings: 4, Instructions: 1513COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: 38f58539976a8a8ef7ac757c585fb18d838c5a0a0b4fb894d47ff9103cb383b3
Instruction ID: 95c88ee0dfe52030b2a0f061ccf7b9d7271e36a187134c7f7d9a046f7fce533c
Opcode Fuzzy Hash: 38f58539976a8a8ef7ac757c585fb18d838c5a0a0b4fb894d47ff9103cb383b3
Instruction Fuzzy Hash: 29F24C74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE4936 Relevance: 6.5, Strings: 4, Instructions: 1456COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: 490daa185f9669d9d283d110714f1a486994296bcf32baceb0bbc1466fc7fc95
Instruction ID: 00dcfbb58c1df7dee95643ecbfb6fc2562249e588cc298c6a34f94f0f268edbb
Opcode Fuzzy Hash: 490daa185f9669d9d283d110714f1a486994296bcf32baceb0bbc1466fc7fc95
Instruction Fuzzy Hash: 98F25C74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE499D Relevance: 6.4, Strings: 4, Instructions: 1447COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: 5fdf873fbff870127a1af0f29801f97ae03fda8c19980951a216bd8291347fff
Instruction ID: 8f6200b147c5096266a6c4f1174047ee256ad3678d9a723f927c7cb29ec21a53
Opcode Fuzzy Hash: 5fdf873fbff870127a1af0f29801f97ae03fda8c19980951a216bd8291347fff
Instruction Fuzzy Hash: 89F25C74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE49F9 Relevance: 6.4, Strings: 4, Instructions: 1440COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: 76a26d6e54009b3741a7eee2baedc7fdfd4fc2bd6b2dc6bcbc2bb817e5c8ace2
Instruction ID: c6c3bcf1f5e82eec68a96082c8272170c4f6b38368dcb12a2ee0b06c22cf5040
Opcode Fuzzy Hash: 76a26d6e54009b3741a7eee2baedc7fdfd4fc2bd6b2dc6bcbc2bb817e5c8ace2
Instruction Fuzzy Hash: 73F25B74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE4B5B Relevance: 6.4, Strings: 4, Instructions: 1383COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
, xrefs: 04CE4BC4
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: $\Ok$|t$2k
API String ID: 0-3739186446
Opcode ID: 67124619bef82e56523edc458afc4b217c3d8686ab3824ed4e270ca8644e4f14
Instruction ID: f3d5851fb143ad68bfc33e0c9e54c417e050ca32d2fa5bdb5afc31919616b1d2
Opcode Fuzzy Hash: 67124619bef82e56523edc458afc4b217c3d8686ab3824ed4e270ca8644e4f14
Instruction Fuzzy Hash: ACE26D74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE4C8F Relevance: 5.1, Strings: 3, Instructions: 1362COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$|t$2k
API String ID: 0-1000380826
Opcode ID: f0d72c8749e9a873f6a94440a4626981f9ae2d9ef402cd6f5dd2fe1c73999c89
Instruction ID: fdd2b26ba57fe653fc8dfb6a8654f62ea93edd2233cb562e728ba83ff8e791f1
Opcode Fuzzy Hash: f0d72c8749e9a873f6a94440a4626981f9ae2d9ef402cd6f5dd2fe1c73999c89
Instruction Fuzzy Hash: EEE25C74A01228CFDB28EF35D994BA9B7B2FB48308F1041EAD949677A4DB355E84CF50

Function 04CE4F2F Relevance: 5.0, Strings: 3, Instructions: 1245COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$|t$2k
API String ID: 0-1000380826
Opcode ID: f70c40ffb5aa532b2a15eef2aff44d352d156395792943050ded40a62110ddc7
Instruction ID: e3f865780904d56471637d91e97cf2cc9473cbd68084c8373281f3f204a6002b
Opcode Fuzzy Hash: f70c40ffb5aa532b2a15eef2aff44d352d156395792943050ded40a62110ddc7
Instruction Fuzzy Hash: F4D25C74A01228CFDB29EF35D994BA9B7B2FB48308F1041E9D949673A4DB359E84CF50

Function 04CE4F9D Relevance: 5.0, Strings: 3, Instructions: 1236COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$|t$2k
API String ID: 0-1000380826
Opcode ID: e5447a63c8b5f2144aae444321792df2e1643840c4e0981e0695df4bf115c564
Instruction ID: 5e801ebba66d824c00acab1d3fee0ab9b973a0c846bb4003d8a25b81eab7992d
Opcode Fuzzy Hash: e5447a63c8b5f2144aae444321792df2e1643840c4e0981e0695df4bf115c564
Instruction Fuzzy Hash: 82D25C74A01228CFDB25EF35D994BA9B7B2FB48308F1041E9D949673A4DB355E84CF50

Function 04CE5000 Relevance: 5.0, Strings: 3, Instructions: 1230COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$|t$2k
API String ID: 0-1000380826
Opcode ID: 536f3f738fe9c60178c51ec8f7f967be3e796fd6d2bb531a4817f3e47f8f5869
Instruction ID: 8f603bc41e8fe76bfeb02bcc5cade3da9e13ff53275a6120ac3f47139d46668d
Opcode Fuzzy Hash: 536f3f738fe9c60178c51ec8f7f967be3e796fd6d2bb531a4817f3e47f8f5869
Instruction Fuzzy Hash: 31D25B74A01228CFDB29EF35DA94BA9B7B2FB48308F1041E9D949673A4DB355E84CF50

Function 04CE505D Relevance: 5.0, Strings: 3, Instructions: 1225COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$|t$2k
API String ID: 0-1000380826
Opcode ID: 827fc812f742e12eca57d7f62906e745622283c17491f639d2e36c8170c4edd0
Instruction ID: 034b940235b30ebfa15c5f421ba95863dd802d8602f68ab82d57abf3be091859
Opcode Fuzzy Hash: 827fc812f742e12eca57d7f62906e745622283c17491f639d2e36c8170c4edd0
Instruction Fuzzy Hash: B6D25B74A01228CFDB29EF35DA94BA9B7B2FB48308F1041E9D949673A4DB355E84CF50

Function 04CE50E3 Relevance: 5.0, Strings: 3, Instructions: 1210COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$|t$2k
API String ID: 0-1000380826
Opcode ID: ec736dd77ca64dec0d9789a187ca998ce9d610ca27c31acb462336ce7c8a0906
Instruction ID: a65da5427e9cc74a6aca75b4b5c474e8a025b1fa9182954efc8378dce3bfd061
Opcode Fuzzy Hash: ec736dd77ca64dec0d9789a187ca998ce9d610ca27c31acb462336ce7c8a0906
Instruction Fuzzy Hash: 43D25B74A01228CFDB29EF35DA94BA9B7B2FB48308F1041E9D949673A4DB355E84CF50

Function 04CE536F Relevance: 4.8, Strings: 3, Instructions: 1071COMMON

Download Yara Rule

Strings

2k, xrefs: 04CE541D
\Ok, xrefs: 04CE6AF9
|t, xrefs: 04CE53CE

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok$|t$2k
API String ID: 0-1000380826
Opcode ID: 13b8f7b141431b76ad395dca47e62593b1a2935e6cdc5d9d919084ab24849634
Instruction ID: ff0dc76fc92bee1e3d801f3ae1d389d9027851125fe7132f69e5911747c9e7b0
Opcode Fuzzy Hash: 13b8f7b141431b76ad395dca47e62593b1a2935e6cdc5d9d919084ab24849634
Instruction Fuzzy Hash: 78C22A74A01228CFDB25EF34D994BA9B7B2FB58308F1041E9D909677A4DB35AE85CF40

Function 04CE5459 Relevance: 2.3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

\Ok, xrefs: 04CE6AF9

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 09650503fc974eacbec4264d3eaa5285a482c51a418a06d1ffcfbee1d896d5f3
Instruction ID: 01ccc5c7e9c50e345d396184bcc44a7ccc2e9207ed5d5e236e5627e2adc99d0c
Opcode Fuzzy Hash: 09650503fc974eacbec4264d3eaa5285a482c51a418a06d1ffcfbee1d896d5f3
Instruction Fuzzy Hash: 4EC22A74A01228CFDB29EF34D994BA9B7B2FB58308F1041E9D909677A4DB359E85CF40

Function 04CE36F0 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

N, xrefs: 04CE37BA
N, xrefs: 04CE3780
N, xrefs: 04CE375D
N, xrefs: 04CE3719

Memory Dump Source

Source File: 00000000.00000002.1679725755.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_gReXLT7XjR.jbxd

Similarity

API ID:
String ID: N$N$N$N
API String ID: 0-91100018
Opcode ID: 7755bcb6e9d2fd7956a1a09508db8dd8f6c489ee99ebf3fa129c3bdf23063417
Instruction ID: e730d2c4fce7cb7f236776b46cffbbe5e53b248637bbf4a74bfcf3f98781ba44
Opcode Fuzzy Hash: 7755bcb6e9d2fd7956a1a09508db8dd8f6c489ee99ebf3fa129c3bdf23063417
Instruction Fuzzy Hash: 68216FB57002599FEB20DA6EC941BBA73E6FF89204F140568E905EB794EB74FD018790

Analysis Process: server.exePID: 7564, Parent PID: 7496COMMON

Execution Graph

Execution Coverage:	37.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.1%
Total number of Nodes:	115
Total number of Limit Nodes:	7

Executed Functions

Function 05694269 Relevance: 5.5, Strings: 3, Instructions: 1767COMMON

Download Yara Rule

Strings

, xrefs: 05694BC4
2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: $\Ok$2k
API String ID: 0-804809350
Opcode ID: e898a08b1b5a59a4348c93928207c430b19c8d99482a4566d309dc8c6e1fd000
Instruction ID: 5b6318fa460160e0a8b05b072a7e44924fa2ac21545faab865e5a720e1012d9a
Opcode Fuzzy Hash: e898a08b1b5a59a4348c93928207c430b19c8d99482a4566d309dc8c6e1fd000
Instruction Fuzzy Hash: 7A133874A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD9096B394DB399E95DF50

Function 05694544 Relevance: 5.4, Strings: 3, Instructions: 1618
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05694BC4
2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: $\Ok$2k
API String ID: 0-804809350
Opcode ID: 3b9c57436142020b0cf3b11a956a75f8222b75f6c98c11cff8fbc927b15860ab
Instruction ID: 1300cab45ca1bda727a5cd0444298212f2e3c18f24a49519b0e04f5f0adde8e2
Opcode Fuzzy Hash: 3b9c57436142020b0cf3b11a956a75f8222b75f6c98c11cff8fbc927b15860ab
Instruction Fuzzy Hash: A9033874A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD9096B394DB399E95DF50

Function 05694630 Relevance: 5.3, Strings: 3, Instructions: 1579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05694BC4
2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: $\Ok$2k
API String ID: 0-804809350
Opcode ID: 2effd98f72fe50c37528630e84691f6ed29b991e6f4872bb22082d36d3569e88
Instruction ID: 6b72f243daf6cf9e3383bc541555c2e9458c5cf1964d4b9bce9f71acf3e4a39f
Opcode Fuzzy Hash: 2effd98f72fe50c37528630e84691f6ed29b991e6f4872bb22082d36d3569e88
Instruction Fuzzy Hash: 51033774A01228CFEB25DF74D894BA9B7B2FB48304F1041EAD8096B394DB399E95DF50

Function 0569470F Relevance: 5.3, Strings: 3, Instructions: 1544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05694BC4
2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: $\Ok$2k
API String ID: 0-804809350
Opcode ID: c34f4154300773154ad9adfb2af077c4e6b6d11d7159603f2125e0d4eff5a075
Instruction ID: affc9af972a8649a03be2f17fa6fd58a1b134646d58094079d526a8e0903d2dc
Opcode Fuzzy Hash: c34f4154300773154ad9adfb2af077c4e6b6d11d7159603f2125e0d4eff5a075
Instruction Fuzzy Hash: CBF23874A01228CFEB25DF74D894BA9B7B2FB48304F1041EAD8096B394DB399E95DF50

Function 05694936 Relevance: 5.2, Strings: 3, Instructions: 1456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05694BC4
2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: $\Ok$2k
API String ID: 0-804809350
Opcode ID: e6fc978e729bf9fceba37ef6b5c845a960ea964de8505accd99dc3ac91d788da
Instruction ID: 32a9bd69a58c612561d9028d52fb6a1c62d961dbd414e121d62340cf48db7433
Opcode Fuzzy Hash: e6fc978e729bf9fceba37ef6b5c845a960ea964de8505accd99dc3ac91d788da
Instruction Fuzzy Hash: 6DF23874A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD84A67394DB399E95DF50

Function 05694B5B Relevance: 5.1, Strings: 3, Instructions: 1383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 05694BC4
2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: $\Ok$2k
API String ID: 0-804809350
Opcode ID: ce0aaf6707fb8993280eb1151be2b8aa3c43e05b26f363075d389f1215f32988
Instruction ID: 87bb64151b7cd98378a54b97033d750f56b782e673ea512828b8ab49eb71f226
Opcode Fuzzy Hash: ce0aaf6707fb8993280eb1151be2b8aa3c43e05b26f363075d389f1215f32988
Instruction Fuzzy Hash: 2CE24874A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD84A67394DB399E95DF50

Function 05694F2F Relevance: 3.7, Strings: 2, Instructions: 1245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: 520f310a31e72cee0ed6ba36cb83d26ac8044c8bd512971fa6402e49493d227c
Instruction ID: 2b1ec96330480cbf925aeff67088edcc131d98503c026f706120bfce1d92a63c
Opcode Fuzzy Hash: 520f310a31e72cee0ed6ba36cb83d26ac8044c8bd512971fa6402e49493d227c
Instruction Fuzzy Hash: 7ED23974A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD849A7394DB399E95DF50

Function 05695000 Relevance: 3.7, Strings: 2, Instructions: 1230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: cafde2e314848e60af1dac29c966f58d359b73d0212632da9d3ab12530098ce7
Instruction ID: fa99ae6c17ef3615c06e1bc6a7cc11d572b2ae31909d35426420c285740406d3
Opcode Fuzzy Hash: cafde2e314848e60af1dac29c966f58d359b73d0212632da9d3ab12530098ce7
Instruction Fuzzy Hash: 80D23874A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD849A7394DB399E95DF50

Function 0569505D Relevance: 3.7, Strings: 2, Instructions: 1225COMMON

Download Yara Rule

Strings

2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: 971bd6112c392691846f5835a263afc5ebeeb74d030e144a713331ca95cceb4c
Instruction ID: ad17a8b7035c7f6c4d80ece28c7ce03daa6ce421ec147d91050fba677b682821
Opcode Fuzzy Hash: 971bd6112c392691846f5835a263afc5ebeeb74d030e144a713331ca95cceb4c
Instruction Fuzzy Hash: A8D23874A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD849A7394DB399E95DF50

Function 056950E3 Relevance: 3.7, Strings: 2, Instructions: 1210COMMON

Download Yara Rule

Strings

2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: 0a92291fdbc96f53e02b2c3b0fb30acfed87082bd66cb135854eb632f0077bf3
Instruction ID: 6b148baec607401f68a16618c4dce95c30bf4569610cd25683080ce4882d1595
Opcode Fuzzy Hash: 0a92291fdbc96f53e02b2c3b0fb30acfed87082bd66cb135854eb632f0077bf3
Instruction Fuzzy Hash: C7D23874A01228CFEB25DF34D894BA9B7B2FB48304F1041EAD849A7394DB399E95DF50

Function 0569536F Relevance: 3.6, Strings: 2, Instructions: 1071COMMON

Download Yara Rule

Strings

2k, xrefs: 0569541D
\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: b15f21c5b1e733c0931840a0edc9149abc215823173685b2c1a6133b162f84a2
Instruction ID: 73c541477f4bdf46683ab2f52023f788047c75ba323d22d1e2a6a9dbd046b54c
Opcode Fuzzy Hash: b15f21c5b1e733c0931840a0edc9149abc215823173685b2c1a6133b162f84a2
Instruction Fuzzy Hash: 82C22874A01228CFEB25DF70D894BA9B7B6FB48304F1041E9D90A6B394DB399E95CF50

Function 05695459 Relevance: 2.3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: c11807033c9155a0400ef623ad34934034b84a0bfb070d91a79c3d95bdd47b72
Instruction ID: 7d799525ad730abd6bedb00a10415c325edda652b6cc6d94b6eda5270370b6d4
Opcode Fuzzy Hash: c11807033c9155a0400ef623ad34934034b84a0bfb070d91a79c3d95bdd47b72
Instruction Fuzzy Hash: 1AC22974A01228CFEB25DF70D894BA9B7B6FB48304F1041E9D90A6B394DB399E95CF50

Function 0157BC17 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0157BC97

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b3aa0a7fd21f9ff214510d4e22d031d7e45337110aa771b35369b18db9101672
Instruction ID: 41bc432f71e2aafcb19decaa70e93a04ca4a8e8542b1b976d172e77f6d308882
Opcode Fuzzy Hash: b3aa0a7fd21f9ff214510d4e22d031d7e45337110aa771b35369b18db9101672
Instruction Fuzzy Hash: 3821DE765097809FEB238F25DC45B52BFF8EF06310F0884DAE9858F163D275A908DB62

Function 0157BD99 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0157BE05

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5e3f16dfef39cc959a54ea8862cf128ac36208503b2ce1dee68da0e86f0f49ab
Instruction ID: 3cf05e99c81d9f73748b34ed58f84125cef463a4c7c9c583f5ae20eb93611f96
Opcode Fuzzy Hash: 5e3f16dfef39cc959a54ea8862cf128ac36208503b2ce1dee68da0e86f0f49ab
Instruction Fuzzy Hash: 1B1190724097C09FDB228F24DC45A52FFB4EF06324F0984DAED844F663D275A908DB62

Function 0157BC4E Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0157BC97

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 19a54a41e92ce631f5d68c93d7ec6282547320e09b8baa9fa0f285aa6fde4295
Instruction ID: 1190969979f9b59b33351361a2f5cc2cf702ea203a2ad9e6a3a376815a29a1d0
Opcode Fuzzy Hash: 19a54a41e92ce631f5d68c93d7ec6282547320e09b8baa9fa0f285aa6fde4295
Instruction Fuzzy Hash: 5511A3355006049FEB20CF19E945B56FBE8FF08210F08C8AADD468F652D735E454DB61

Function 0157BDCA Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0157BE05

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: c241c4a66a209044fe5b2eb8420f0e60ba6a64d3069bfd9f5e5b8b3faa6531ce
Instruction ID: be4cece4719bf246149072047ca4ae7644f1905cdcf61687976ef7f6e6d0485d
Opcode Fuzzy Hash: c241c4a66a209044fe5b2eb8420f0e60ba6a64d3069bfd9f5e5b8b3faa6531ce
Instruction Fuzzy Hash: E1018F324006449FDB218F19E945B65FBE0FF08220F08C8AADE450F752D376A858CFA2

Function 05697910 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ede7ece9276653cec950bb5aa06e4d83d4904985a74dfc6715a1d74c4a8915d
Instruction ID: 0cd0ed45c1a717bec36ca98f080d9b3882c0936dff5b32687fc4a36ae0095f43
Opcode Fuzzy Hash: 6ede7ece9276653cec950bb5aa06e4d83d4904985a74dfc6715a1d74c4a8915d
Instruction Fuzzy Hash: 22021872A11222DBDF2DCB30D45047DB3AAFF826513164176D895AB794EF2EEC42CB90

Function 05690118 Relevance: 5.1, Strings: 4, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 056901A8
5])k^, xrefs: 05690194, 05690199
2k, xrefs: 05690154
E])k^, xrefs: 05690140, 05690145

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: 2k$2k$5])k^$E])k^
API String ID: 0-1196077540
Opcode ID: cfe44258e6fa86c7e523650bbcdf521e76dfbb67c6476b7cfc1a625395d47716
Instruction ID: ed58bc3649d072345d247e0efb3004d4e853dd7d20cc4c7c2ca7a565ab5d1f51
Opcode Fuzzy Hash: cfe44258e6fa86c7e523650bbcdf521e76dfbb67c6476b7cfc1a625395d47716
Instruction Fuzzy Hash: C811C6356042418FD315A779B0126AD3BA7ABC329872458AED041DF355CFAE4C4AC7B2

Function 056937E1 Relevance: 3.0, Strings: 2, Instructions: 490COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05693885
2k, xrefs: 05693C2E

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: 95bc4fc151d8a341809d8f10cfc358226a91dcc2ed8caa4f43a305254352d3ce
Instruction ID: f27dd1f99ee2fad05d24a3e0f293322b16b649445a2a3d97b80db8b7234b46f5
Opcode Fuzzy Hash: 95bc4fc151d8a341809d8f10cfc358226a91dcc2ed8caa4f43a305254352d3ce
Instruction Fuzzy Hash: 87222730A00218CFDB28DF74D955BADB7B2FB49308F1045AAD40AAB394DB799E95CF50

Function 05693804 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05693885
2k, xrefs: 05693C2E

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: 1d7f494a2f7f4d60d2340c1463b83a0d3073a301f5533f5a1276e168d963d80e
Instruction ID: 69b1b5eaa7fbd6aeced2f45b02e2c0f21bf73769cc32cc4b654edfa766d8437d
Opcode Fuzzy Hash: 1d7f494a2f7f4d60d2340c1463b83a0d3073a301f5533f5a1276e168d963d80e
Instruction Fuzzy Hash: CDC15830A00219CFDB28DBB4D855BADB7B2FB85304F1045AAD40AAB394DB795D85CF91

Function 0569562A Relevance: 2.2, Strings: 1, Instructions: 963COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: de432ca8150ad75b865bd28d768981b5d5c12966ee3f8f3d377d4503ca677f9f
Instruction ID: 2287607ab0d955a6bc0018379b82894f1361298ebc8836bc6cb64fada7ce03a3
Opcode Fuzzy Hash: de432ca8150ad75b865bd28d768981b5d5c12966ee3f8f3d377d4503ca677f9f
Instruction Fuzzy Hash: 02B22874A01228CFEB29DF70D994BA9B7B6FB48304F1041E9D8096B394DB399E95CF50

Function 05695918 Relevance: 2.1, Strings: 1, Instructions: 849COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 132915515005642fafff392672f85154ed5f006f4e995581b12e68b4ef658815
Instruction ID: 0e974a0f76ebf5d532555075fa22a64ee6e486be0a33f044455fd070adde1e47
Opcode Fuzzy Hash: 132915515005642fafff392672f85154ed5f006f4e995581b12e68b4ef658815
Instruction Fuzzy Hash: 13921874A01228CFEB29DF70D994BA9B7B6FB48304F1041E9D9096B394DB399E91CF50

Function 05695C06 Relevance: 2.0, Strings: 1, Instructions: 735COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: a4045cff8dd3dd02ed141d620c2833270eba2e794fddbb93bb432627ccb7cc63
Instruction ID: 95ef10fce8daeff7b5c72b03f6b680341cba44a0ccab1ae7393aea2949b0b632
Opcode Fuzzy Hash: a4045cff8dd3dd02ed141d620c2833270eba2e794fddbb93bb432627ccb7cc63
Instruction Fuzzy Hash: 34822B74A01228CFEB29DF34D994BA9B7B6FB48304F1041E9D9096B394DB399E91CF50

Function 05695D7D Relevance: 1.9, Strings: 1, Instructions: 678COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 8f04669fe79d841cefa3e41187773239271d3a5471115026537c4c2d0bf357e5
Instruction ID: 3ffaa66ee381bb85e01c57c0dd608752b7803dbf7aee4568c73f5cfe32d337fa
Opcode Fuzzy Hash: 8f04669fe79d841cefa3e41187773239271d3a5471115026537c4c2d0bf357e5
Instruction Fuzzy Hash: 29722C74A01228CFEB29DF34D994BA9B7B6FB48304F1041E9D909A7394DB399E91CF50

Function 0569606B Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 167b9baca2ad3314777b5c6d5ca777ed466ee3082aaf6f3b8430a294fb28fa2c
Instruction ID: adfdffa7a7f8330894dc29a2aba42a548426f20e6017991a4603cc34c1acdf9c
Opcode Fuzzy Hash: 167b9baca2ad3314777b5c6d5ca777ed466ee3082aaf6f3b8430a294fb28fa2c
Instruction Fuzzy Hash: FD521A74A01228CFDB29DF34D994BA9B7B6FB49304F1041E9D909AB394DB399E91CF40

Function 05696359 Relevance: 1.7, Strings: 1, Instructions: 450COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 352efc2e3189f4073096f952de2eae174c3e67a4273d672050a5a70c2a39704a
Instruction ID: 87ea84c52a7d579ae9b149fafe44c883dc3adcc8b0496ea9d901f3ed265559c4
Opcode Fuzzy Hash: 352efc2e3189f4073096f952de2eae174c3e67a4273d672050a5a70c2a39704a
Instruction Fuzzy Hash: 16320A74A01228CFDB29DF34D994BA9B7B6FB49305F1041EAD909A7394DB399E91CF00

Function 0157B126 Relevance: 1.6, APIs: 1, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0157B1F5

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cb8f546d4524314aa1cf46429a12816e7c79bd940c9e3ab391f2fa5dc1b6d47a
Instruction ID: 8b7d9c738251a563f6c0446e9645023cf301c74c1d1418d2a696bf78ea2ade1c
Opcode Fuzzy Hash: cb8f546d4524314aa1cf46429a12816e7c79bd940c9e3ab391f2fa5dc1b6d47a
Instruction Fuzzy Hash: 3F3190725097806FE7238B649C55FA6BFB8EF17210F0985DBE980CB5A3D224A90DC771

Function 05800007 Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 058000CD

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 704d5682698ba1d5963687e611010d56403cc6e6b5cd70d2921d3f38e9572b85
Instruction ID: 9535c54c77ea66480d26425239813883ebacc84d7deeac6a5c4f14ac49fc19a3
Opcode Fuzzy Hash: 704d5682698ba1d5963687e611010d56403cc6e6b5cd70d2921d3f38e9572b85
Instruction Fuzzy Hash: 4A31C372504344AFE7228B25DC44FA7BBFCEF05214F08859AF985CB652E364E848CB71

Function 05801613 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 058016DA

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4c65e401c7149adf3162f86c1b1ea55302b4df449490565e671869200305962d
Instruction ID: be839b47d12671cdbb71f19a26a521dbd9d5d802b2366325a5837a7c07de93a9
Opcode Fuzzy Hash: 4c65e401c7149adf3162f86c1b1ea55302b4df449490565e671869200305962d
Instruction Fuzzy Hash: 4E318B7510E3C06FD3138B258C65A61BFB4EF47610F0E45CBE8848F6A3D229A909D7B2

Function 05802240 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05802307

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: be27a21b4ba17c499f733c3a9b2f084510331868316c3975ec6f5e4baf4fca74
Instruction ID: 05baa90da0d7bf2a2d0b1005dbec7b0d20690276a8a556787b4280c6e75b3003
Opcode Fuzzy Hash: be27a21b4ba17c499f733c3a9b2f084510331868316c3975ec6f5e4baf4fca74
Instruction Fuzzy Hash: CC31C2B2504340AFE721CB64DC84FA6FBACEF15314F04489AFA499B691D374E949CB71

Function 0157AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0157AB25

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5af1df22646270fb3f9e8edb73c01c990f7b9eb84121766a9fe9f026c3652db5
Instruction ID: 2c37c106a2971771b62166df6ffcfdad151ec2cb81b1aa796201ecd5ae8b917b
Opcode Fuzzy Hash: 5af1df22646270fb3f9e8edb73c01c990f7b9eb84121766a9fe9f026c3652db5
Instruction Fuzzy Hash: EB31A071504340AFE722CF25DC85F66BFF8EF05210F08889AE9898B652D375E808CB71

Function 05802138 Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058021D5

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 44ab9573b2eefc11a50319d23739ea6745aef524a08118f1256054fe8f96e49c
Instruction ID: ed9e2a1ee337cc1dca6360e1ac25569e47b5ccc291413f2ee307fc259a1953b3
Opcode Fuzzy Hash: 44ab9573b2eefc11a50319d23739ea6745aef524a08118f1256054fe8f96e49c
Instruction Fuzzy Hash: F631E8725057806FE722CF54DC45FA6BFB8EF06310F08849AE985CB193D2359909C771

Function 0157AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0157B01D

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 383bc60ce1f2c7704cf1145a11e5069ec0d6cb0d75636f1807dfa331521ed8ad
Instruction ID: 5785436a84c0932ef4e1fdac5d3fff8b126e9f204f9e3e056a42f3035bf94962
Opcode Fuzzy Hash: 383bc60ce1f2c7704cf1145a11e5069ec0d6cb0d75636f1807dfa331521ed8ad
Instruction Fuzzy Hash: E231B3B15097806FE722CB29DD85B96BFF8EF06214F08849AE944CF293D375A908C771

Function 0157B23D Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157B2F8

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f6ae6e704a1950e22b3c3fbc93647942af796e9178ce8fffcabe35ba2af6e197
Instruction ID: 240d21911c23342341f302d306a34e4723200fba7a518af43de0435644539439
Opcode Fuzzy Hash: f6ae6e704a1950e22b3c3fbc93647942af796e9178ce8fffcabe35ba2af6e197
Instruction Fuzzy Hash: DB31D1751053806FE722CF25DC45FA6BFBCEF06210F08849AE9458B253D264E948CB71

Function 05801B2C Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05801BC3

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: fc71143d93284b9e16124c0609be4074f05a44b6ca6d3d76635db8615752560c
Instruction ID: 3193a21460f69689af67ebb6a7c6343ee6dda2b17952331ef42b0ad7e8611dd6
Opcode Fuzzy Hash: fc71143d93284b9e16124c0609be4074f05a44b6ca6d3d76635db8615752560c
Instruction Fuzzy Hash: 2D318172604384AFE7218F64DC45FA7BFB8EF45220F0884AAE945DB652D374E948CB71

Function 058006A4 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05800738

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: a3ee378b6164b5656e5ab109d474d705819649cc27f0d1f3f688c38c0de78184
Instruction ID: 6f4ba8f7fb6b4abdf40bfc763012754c3c4a311f055ad43e44588cd4bd43fd1f
Opcode Fuzzy Hash: a3ee378b6164b5656e5ab109d474d705819649cc27f0d1f3f688c38c0de78184
Instruction Fuzzy Hash: 5221D6725097805FE7128B64DC45FA6BFB8EF46324F0884DAE944CF193D2749909CB71

Function 05800032 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 058000CD

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 61c3d61a926aca7903c186a1e9c9aa0aebad3feda5aee29abb6424475ffe219c
Instruction ID: f01b259ce4fba76dd9b6c119ab63cd1ec888a0d4b65edf14834ba1f63cdc2ba2
Opcode Fuzzy Hash: 61c3d61a926aca7903c186a1e9c9aa0aebad3feda5aee29abb6424475ffe219c
Instruction Fuzzy Hash: 41219E72600604EFE731DE29DC44FA7BBECEF08214F04892AED46C6691E734E9488A71

Function 0157A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0157A77E

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: ba347c7a0af9962b3a0ae1b36f0513962f3d8fec14ea57e443a9e059b0c3ff0e
Instruction ID: ad18894597d5dacbac81732e7bdb56174afba308837439fabe0e54905d2896ca
Opcode Fuzzy Hash: ba347c7a0af9962b3a0ae1b36f0513962f3d8fec14ea57e443a9e059b0c3ff0e
Instruction Fuzzy Hash: 0731807544D3C06FD3138B259C61B61BFB4EF87610F0A40DBE884CB6A3D2296919D7B2

Function 05800115 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058001C4

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8c9e7b1693115a7e488586b5828afd713809d553d60f7e77721eb16232a8cab9
Instruction ID: fc6e20c24668024f74400a88ccb44ffb68756d35b7cd1c4f6811354e1a998ade
Opcode Fuzzy Hash: 8c9e7b1693115a7e488586b5828afd713809d553d60f7e77721eb16232a8cab9
Instruction Fuzzy Hash: 9F319872409780AFE7228F55DC55B56FFB8EF06310F0844DAE9858F6A2D274A948C761

Function 0580322C Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058032C3

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b31f3da810ab4a77bd9f49f3f5cea062c52fb83987e2b96a3040a44509d150e7
Instruction ID: 428b73bccb84224f1d5ccebecd4ed6c7f573cc272980ab2292b57a22a7ef7105
Opcode Fuzzy Hash: b31f3da810ab4a77bd9f49f3f5cea062c52fb83987e2b96a3040a44509d150e7
Instruction Fuzzy Hash: 3721E6725097806FE713CB24DC55B96BFA8EF46214F0888DBE984CF193D6349908C771

Function 05802262 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05802307

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: ab6dab44a1938fd0d1af78a530f1e11fc4b53cb5e8eb7d72fa7eadb6441f25c2
Instruction ID: 96fb88a983fe9ecf32a8df3c6b119b63e96de307bf083074abdb7866a51d6228
Opcode Fuzzy Hash: ab6dab44a1938fd0d1af78a530f1e11fc4b53cb5e8eb7d72fa7eadb6441f25c2
Instruction Fuzzy Hash: F821E471500204AEE730DB54CC84FA6F7ACEB14314F04485AFE49DA681D7B5E9488B71

Function 0157B42C Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0157B4D5

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: f147d416223649cbcec6540b5aaabb4a5079922f7f9c4726e8fbbcfd708827bf
Instruction ID: d436358bf7abf73b22525e5d76035b84ea1098aacb09e4c23fc1d9381cef7c02
Opcode Fuzzy Hash: f147d416223649cbcec6540b5aaabb4a5079922f7f9c4726e8fbbcfd708827bf
Instruction Fuzzy Hash: 1921E471104740AFE7228F64DC45FA6FFB8EF46310F08889AF9848F662D375A508CB61

Function 0580315D Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 058031EC

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 06e4bcc1ded143a4f8d81ecac8deb70034dc02164fcd42a5c7d508541df922d0
Instruction ID: e0b0d83281c60ef1e41e06cb72808fe79c78e92f3198dc3f4f0a8cdab0cb7e89
Opcode Fuzzy Hash: 06e4bcc1ded143a4f8d81ecac8deb70034dc02164fcd42a5c7d508541df922d0
Instruction Fuzzy Hash: D9217E715097849FDB22CF25DC44B62BFF8EF0A210F0988DAED85CB162D234A909CB61

Function 0157B34E Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157B3E4

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d01ad1793c6f63a664a4a1075c51466273ae9fac8e144cd76e0388bcd906a23a
Instruction ID: 13083870b68ec9592afeebc089fd1738de0aac2d2309d95fca83ed557675a612
Opcode Fuzzy Hash: d01ad1793c6f63a664a4a1075c51466273ae9fac8e144cd76e0388bcd906a23a
Instruction Fuzzy Hash: 7321A1725047806FE7228F55DC45FA7BFBCEF46210F08859AE9858B292D374E848C7B1

Function 05801CE2 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05801D76

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7a1712300f902814c1fb677c5964632dffb1834c010f473173ffb27763a56120
Instruction ID: 544e9e53976fce4cbdb7e16ffe9a7d64baa53bc03f97ecdcb6fb1e1859a7e388
Opcode Fuzzy Hash: 7a1712300f902814c1fb677c5964632dffb1834c010f473173ffb27763a56120
Instruction Fuzzy Hash: 2F21B471404740AFE722CB19DD45F96FFF8EF09224F04899EE9858B652D375A908CBA1

Function 05801706 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05801792

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 2794109a602850edc370338ff68eeb168d839f5a4825fc32414b7595bedff09c
Instruction ID: 9e155ff436a1383825c66267a7335a2f2e515dd5d3533b13e304d67e254e7d8e
Opcode Fuzzy Hash: 2794109a602850edc370338ff68eeb168d839f5a4825fc32414b7595bedff09c
Instruction Fuzzy Hash: C7219171405740AFE721CF55DD45F66FFF8EF05220F08889AE9858B692D375A908CB61

Function 0157AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0157AB25

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8916de9324b553872ff2540d7fc022b138dcb3fed44f6cebc48941a3c810c66b
Instruction ID: 40b2fbaea9f72779a8743dbdaf8f7415e978a6f6094008bf04457ea8fc5a79ac
Opcode Fuzzy Hash: 8916de9324b553872ff2540d7fc022b138dcb3fed44f6cebc48941a3c810c66b
Instruction Fuzzy Hash: 07219271500700AFE721CF69DD85F6AFBE8FF08210F08896AEA498B652D375E508CB71

Function 05801A3A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05801AD8

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9762e1c67efaa9263ca87f21cb122fdce2c70478611588e1d34d0c0ce1c6e673
Instruction ID: 019602f6283eb6e3c10f638404fd813a394191a627a0651d210af8a10d40ba3d
Opcode Fuzzy Hash: 9762e1c67efaa9263ca87f21cb122fdce2c70478611588e1d34d0c0ce1c6e673
Instruction Fuzzy Hash: 00219F72504780AFE722CB55DC48F67BFF8EF45720F08859AE9459B692D324E908CB61

Function 05800844 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,4FFD7EB5,00000000,?,?,?,?,?,?,?,?,6C823C58), ref: 058008CA

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 9716a3772fc1cdc43cc976c626650037f82ffdd06b21a8d790a5fc0c169ba171
Instruction ID: 7a610af741f561e2e2125545c41a8db926a230b53f7a99865147635695e2dc44
Opcode Fuzzy Hash: 9716a3772fc1cdc43cc976c626650037f82ffdd06b21a8d790a5fc0c169ba171
Instruction Fuzzy Hash: 8D219C7150D7C09FEB128B75DC59A92BFB8AF47210F0D84DBE984CF1A3D2249908CB62

Function 05801B52 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05801BC3

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 0411194f76575f7c2fe768d2436dfb14b04d361ec0e10b9bb47a0b913432be77
Instruction ID: 08a61cc95b2e6750f93f5fad1fb0618b09d329de4e210422c0713af927759648
Opcode Fuzzy Hash: 0411194f76575f7c2fe768d2436dfb14b04d361ec0e10b9bb47a0b913432be77
Instruction Fuzzy Hash: E5219572600204AFE720DE69DD45F6AFBACEF44324F04846AED45DB681D774E948CAB1

Function 0157B176 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0157B1F5

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8413a2a46805ba2d0c616078746deac9c8e51d7e3f6f19e5dd5b037fa79f0c19
Instruction ID: 996b042d6f40162827b3c35ad342bede9a9a5dd9b6f2d2e0dbc1071ce1548e35
Opcode Fuzzy Hash: 8413a2a46805ba2d0c616078746deac9c8e51d7e3f6f19e5dd5b037fa79f0c19
Instruction Fuzzy Hash: DD21D472500704AEE7319F59EC45FABFBECEF14214F04896AEA05CB641D734E9088AB1

Function 0157ADCE Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157AE4D

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ff43acf276dfdde062c6c38a28b61d2adc97fe6a24615bd7072845a09880f6e5
Instruction ID: 39b58080c13faf6b7826cd9b1d02d0c9c21669d6113fb60ce848e10f0c325b5d
Opcode Fuzzy Hash: ff43acf276dfdde062c6c38a28b61d2adc97fe6a24615bd7072845a09880f6e5
Instruction Fuzzy Hash: C621D472404340AFE7228F55DC44FA7BFACEF45310F08885AF9448B652D234A908CBB1

Function 0157AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157ACBD

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6f4beb2edc03b1a63f60a29e50eb95837a5e45559ee33f779c30ac1ae18a0e70
Instruction ID: e9897037be7232c0ded89fca921b771d51b0d3f3eaa874c0d31f8d1550baf80d
Opcode Fuzzy Hash: 6f4beb2edc03b1a63f60a29e50eb95837a5e45559ee33f779c30ac1ae18a0e70
Instruction Fuzzy Hash: 2921D8B54087806FE7128B15DC45BA6BFBCEF46314F0884D6F9848F253D274A909D771

Function 0157A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0157AA44

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d0388442d23b9dcb5b10f434a8037f0fb801319bd792262f73a503ab694f9471
Instruction ID: 023c6990e67f93d0b747f8e1d034de55b7ad524cb315ba101551fb3d3b1d13df
Opcode Fuzzy Hash: d0388442d23b9dcb5b10f434a8037f0fb801319bd792262f73a503ab694f9471
Instruction Fuzzy Hash: 8721897540E7C09FD7138B259C65A51BFB4EF53620F0E80DBD8848F6A3D2685808CB72

Function 0580332B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058033A7

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 9f231355175d9e35205708282b88af452048fc2e568c0a2c0ee704eda7ea2a95
Instruction ID: b6f77f7138afed9d8bc737a3aaa165fd77b88d4faaf7651112e8a997891e0d3b
Opcode Fuzzy Hash: 9f231355175d9e35205708282b88af452048fc2e568c0a2c0ee704eda7ea2a95
Instruction Fuzzy Hash: 6321D7715043806FD722CB25DC45FA7BFACEF45210F0888AAF945CB292D374A908CBB1

Function 0157AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0157B01D

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 306f1c2c3f2a4542be5c01dda6397417ff59540d8003c535968affc672877a6e
Instruction ID: f73c4f4d6163e62602de1c927491cfcb3b3f64cfbf954ccec9a5d69cf2ae9400
Opcode Fuzzy Hash: 306f1c2c3f2a4542be5c01dda6397417ff59540d8003c535968affc672877a6e
Instruction Fuzzy Hash: CC2180715002449FE721DF29ED86BAAFBE8EF04214F088869E945CF642D775E908CAB1

Function 05801F79 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05801FFC

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: ca5db6a9970fa11b5ac9e36f80d4a6cbdc41659492d989f4b8eaa0ef05feb6d5
Instruction ID: 3896998204c15414fec15c42429d5cdf40bf3bd4830d1253063e381e873969c8
Opcode Fuzzy Hash: ca5db6a9970fa11b5ac9e36f80d4a6cbdc41659492d989f4b8eaa0ef05feb6d5
Instruction Fuzzy Hash: 6C21C5714093806FD7228B15DC45F56BFB8EF46210F0885DBE945DF292D378A948C771

Function 0157A140 Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0157A1C1

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: ca12f510303b6ba9520662827dfb7b93b60682fcc25645b3c6189ac210d1e91b
Instruction ID: dc1e7714fa3fab4cb45de6d1d8c2d5cd8247b4bf83e51d520717b9fd03d2a132
Opcode Fuzzy Hash: ca12f510303b6ba9520662827dfb7b93b60682fcc25645b3c6189ac210d1e91b
Instruction Fuzzy Hash: C921CC7240D7C09FD7238B209C55A52BFB4EF07210F0D84DBD9848F5A3D279A809CB62

Function 0157B27E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157B2F8

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cad124298c93e6acdb8689d097bc4b7ef9f269b577a5787cdefd2a697fe2ef99
Instruction ID: d82e3d1d0a3943468d93feaddba8ff184c12d76b6471b4e05ee8e23b27038145
Opcode Fuzzy Hash: cad124298c93e6acdb8689d097bc4b7ef9f269b577a5787cdefd2a697fe2ef99
Instruction Fuzzy Hash: B421A175600604AFE721CE19EC46FAABBECEF04610F04856AED058B651D774E848CAB1

Function 0157B719 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0157B78E

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 885b7c6c65a085291547b432861a79354d97206d84b0c05403a925854783343d
Instruction ID: 1a4525f1153699309af9cd84fab31fb0b9a7d6dcb9459724bcefb9ecb3c26ea3
Opcode Fuzzy Hash: 885b7c6c65a085291547b432861a79354d97206d84b0c05403a925854783343d
Instruction Fuzzy Hash: 552181725083809FEB228F29DC55B56FFE8EF46210F0884DAED85CF252D235E804CB61

Function 05803097 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05803113

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 43fe05e4afe9871ed48d10f56a870e17940a3c526f0ae8142b21b15afea190df
Instruction ID: a9583cfaec51b95b625832021618954b1fed936c2c76ff0af72e1a4b5f9b1569
Opcode Fuzzy Hash: 43fe05e4afe9871ed48d10f56a870e17940a3c526f0ae8142b21b15afea190df
Instruction Fuzzy Hash: 1421C372509380AFD722CF54DC44FA6BFB8EF45210F0888AAF9449F292D374A908C7B1

Function 0157B897 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0157B908

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9da38e59689d01c52145d332f89b39a43a3f215900356873601325f9c588df19
Instruction ID: 2fd3f76e1177095e8b4b030f62680290ca3534eb42ba99d3599671427c3535a6
Opcode Fuzzy Hash: 9da38e59689d01c52145d332f89b39a43a3f215900356873601325f9c588df19
Instruction Fuzzy Hash: F521C3B25093809FD712CB25DC45B52BFB8EF06214F0984DAED85CF293D2749908CB62

Function 05801D02 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05801D76

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 6bb1770b3016c72edd584e27f156e40dd7665697a71ec3579d6ef35ecb1508d8
Instruction ID: 8e1b12b2d0fa1d5a338909635a161634a0100da10541d815f1ca420538e6b618
Opcode Fuzzy Hash: 6bb1770b3016c72edd584e27f156e40dd7665697a71ec3579d6ef35ecb1508d8
Instruction Fuzzy Hash: 8021D471500604AFE721CF19DD89FA6FBE8EF08324F048969ED458B681D375E809CBB1

Function 05802412 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0580248E

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 86cc2301ffa0b09417c58c5ba9231e076c90d9f188042424d016494920637d04
Instruction ID: d10cec17fbc3bec642a11428bec003c8428837c35389fce415e7efe38a6414e0
Opcode Fuzzy Hash: 86cc2301ffa0b09417c58c5ba9231e076c90d9f188042424d016494920637d04
Instruction Fuzzy Hash: 81219275508780AFDB628F55DC44B62FFF8EF06310F08849AED858B162D379A818DB71

Function 05801726 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05801792

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 824b998a080b78b8bbabd3aee00f1a5f4b28fa95d04bef72bf63ff042cfcd7e2
Instruction ID: 4e5e2fb5917172f7a9695d021469326fb4c9d078e9ffc15f23461a654fad29b3
Opcode Fuzzy Hash: 824b998a080b78b8bbabd3aee00f1a5f4b28fa95d04bef72bf63ff042cfcd7e2
Instruction Fuzzy Hash: 1321F671500604AFE721CF59DD85FA6FBE8EF08324F04886DED458B696D375A808CBB1

Function 0157B45A Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 0157B4D5

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 3ed0835e425aa231ac18f84ab9a88e3b7213a2179d1deb67dcd4a24a0b62a32a
Instruction ID: 4c5a3aa6a1e17579acbb46807afdefa5cfc5e644892b8bf107312978d507e0d9
Opcode Fuzzy Hash: 3ed0835e425aa231ac18f84ab9a88e3b7213a2179d1deb67dcd4a24a0b62a32a
Instruction Fuzzy Hash: 1921D272500704AFEB318F54DD45FA6FBE8EF04710F14886AEE458E651D375A508CBB1

Function 058026CE Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05802757

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ef4414156cd2306046a08c2a29ce55a0aff20d6d488a3ea6215df144ba2f38f5
Instruction ID: 7099e86cd5e1e70a72ec419c6c66daccab9d697771d247906524788420d3cd44
Opcode Fuzzy Hash: ef4414156cd2306046a08c2a29ce55a0aff20d6d488a3ea6215df144ba2f38f5
Instruction Fuzzy Hash: 141103755043806FE721CB15DC85FA6FFB8EF45320F08849AFD448F292C2B8A948CBA1

Function 0157B94F Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0157B9BF

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c5797be19023c6c1a68e5dec15622aa96ee9a5cb776b913b1ecd961a4a2b7074
Instruction ID: b82af6f6ec68918cfc9889a7347c94036e77f0c604c8ee4b564eed1ecb9643b2
Opcode Fuzzy Hash: c5797be19023c6c1a68e5dec15622aa96ee9a5cb776b913b1ecd961a4a2b7074
Instruction Fuzzy Hash: 2621D5715093C09FE7128B29DC85B56BFE8EF06220F0984DAE985CF263D2389904CB71

Function 0157B372 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157B3E4

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4f341a3ea047f2e47aac815137a0d3e9ea9a77b20e2ac41d1504ef889c17a4ed
Instruction ID: 0fb353dd8a96c83065242c8cf7fc2b059c8fb0e5d66696e854973d2310fd2c75
Opcode Fuzzy Hash: 4f341a3ea047f2e47aac815137a0d3e9ea9a77b20e2ac41d1504ef889c17a4ed
Instruction Fuzzy Hash: CC11B172500704AFE7318E19EC46BA7BBECEF04610F04896AED458A642D374E8488AB1

Function 05801A66 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05801AD8

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 028c369bb96480d5612409e43d9f501e45e1b5428e94597ed77c425fea1e748f
Instruction ID: 63337b3081fd26e1a93bb1ccde3814639da388e3d13ea6f2abff3a6da39fbaf2
Opcode Fuzzy Hash: 028c369bb96480d5612409e43d9f501e45e1b5428e94597ed77c425fea1e748f
Instruction Fuzzy Hash: 4111C072600704AFE721CE59CC48FA6B7E8EF04724F04856AED46CA691D774E808CAB1

Function 0157BAAE Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0157BB16

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e24096cbc1e0f4be6a822ee3db280c857edd2ce598870356a72e3f8ac3b0504d
Instruction ID: 1f1fd388c31d1047ff90b50a5afbbf7dd630157a889fa0c3739d8490659a0ab5
Opcode Fuzzy Hash: e24096cbc1e0f4be6a822ee3db280c857edd2ce598870356a72e3f8ac3b0504d
Instruction Fuzzy Hash: 3E1193B26043805FEB21CF29DC45B67BFE8EF45220F0884AAED49DB652D274E904CB71

Function 05802176 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058021D5

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 88091fd41aa9e599c6d6efb1221cd86b09275451259a0592d1dc1f801b3722cf
Instruction ID: 77a12bc4706d3331afa4550ee4db46039717a6cee6b3b5cc2e21baf27da1c067
Opcode Fuzzy Hash: 88091fd41aa9e599c6d6efb1221cd86b09275451259a0592d1dc1f801b3722cf
Instruction Fuzzy Hash: E9110676500700AFE721CF58DC44FAAFBA8EF04314F04886AED06CB641D375A8088BB1

Function 0580334E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058033A7

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: dacab87f11770d63ba16202f1ad40b1b86a074b6f57aecb73d5b850d87061bb5
Instruction ID: 9a4c339fcf04933405f236fa3c2ad910c578b9fd4a97fd79d573f327fcff1b64
Opcode Fuzzy Hash: dacab87f11770d63ba16202f1ad40b1b86a074b6f57aecb73d5b850d87061bb5
Instruction Fuzzy Hash: 2F1108715002049FE721CF19DD85FAABBA8EF04224F04886AED45CB681DB75A9088BB1

Function 0580326A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058032C3

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: dacab87f11770d63ba16202f1ad40b1b86a074b6f57aecb73d5b850d87061bb5
Instruction ID: d86abbf04b3a28c001223b6b35baa39815ad4b6506e45138811681f250f37ddf
Opcode Fuzzy Hash: dacab87f11770d63ba16202f1ad40b1b86a074b6f57aecb73d5b850d87061bb5
Instruction Fuzzy Hash: 7511C871500304AFE721CF59DD85BAABBA8EF44314F04886AED05CB681D775A9088BB5

Function 0157A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157A5DE

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 48b366a14f37df4aacc7b83f94545c3cd04c78a1881a4597469e379395ae665f
Instruction ID: 54e425a1d256fa2179602dd1726a3bf12ad7da59fd105c30d4cd1361c4d73a20
Opcode Fuzzy Hash: 48b366a14f37df4aacc7b83f94545c3cd04c78a1881a4597469e379395ae665f
Instruction Fuzzy Hash: CD117571409780AFDB228F55DC44A62FFF4EF4A210F08889AED858B552D275A918DB61

Function 058006E2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05800738

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: b42252431533e39575ef71a8bda02e140308712bc9810c48a977fbc4b22b7480
Instruction ID: 1c888391816dcc6dc10a9ffac6a6f0941d879b966898d43dd9218a1bc1b22233
Opcode Fuzzy Hash: b42252431533e39575ef71a8bda02e140308712bc9810c48a977fbc4b22b7480
Instruction Fuzzy Hash: BE11E771600204AFE721CB19DD49FB6B79CDF44224F14846AED45CB682D779A9488AB1

Function 0580015A Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 058001C4

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cd3d8bd99faf5234698e9407a6c731b03811aa728f500e17003f9652dbad6224
Instruction ID: 0a08fb8fd10c8326229026671f8f7f33f8e5e45ded910f0e31f798c7dd0a585a
Opcode Fuzzy Hash: cd3d8bd99faf5234698e9407a6c731b03811aa728f500e17003f9652dbad6224
Instruction Fuzzy Hash: 3911D072500704AFE7319E19DC48FA6FBE8EF04224F04856AED468A691D375E9088AB1

Function 0157ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157AE4D

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 00d576b1dee91937e1dee35e0405a0bc25b85ab4f7ea385b50ea72a76c8779f4
Instruction ID: 23d335ad1c9fcf21d3e830fc355f3dc73b72abab88d15c7af001dc6b5439352e
Opcode Fuzzy Hash: 00d576b1dee91937e1dee35e0405a0bc25b85ab4f7ea385b50ea72a76c8779f4
Instruction Fuzzy Hash: 7211B272500700AFEB21CF59ED45BAAFBE8EF44314F08886AED458F651D375A5088BB1

Function 058030BA Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05803113

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 22c10e9b80a24556a2c1fb4592b56514a072e70c9fa17973679a7b40ce985327
Instruction ID: 88d697f9e2fbf7ec0442795710547aade6d86e375a1d68515e7f0a8ab66472b4
Opcode Fuzzy Hash: 22c10e9b80a24556a2c1fb4592b56514a072e70c9fa17973679a7b40ce985327
Instruction Fuzzy Hash: 7E11E372500204AFE721DF58DD44FA6FBA8EF48324F04886AEE05DB681D775A9088AB1

Function 05801FA6 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 05801FFC

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 471a2398ee3e0bd71b2eeacef07a90d51faf0340fcd24bf389109639ce2c0775
Instruction ID: e44b40df3dcd8610f6672d5ebda2faeb41e9b8f98ceb86ce3325321c33da4bb7
Opcode Fuzzy Hash: 471a2398ee3e0bd71b2eeacef07a90d51faf0340fcd24bf389109639ce2c0775
Instruction Fuzzy Hash: 2C110671500304AFE721CF19DD49FA7BBACEF44324F048866ED06CB681D379A908CAB1

Function 058026EE Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 05802757

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5c0ccec39f7cdb043bbd57f315bdc0db076b7631007349d24ca374077aea64c2
Instruction ID: 52bd042d2f76265094605901264f33083c8a19f193cee86c790624c3d257bd18
Opcode Fuzzy Hash: 5c0ccec39f7cdb043bbd57f315bdc0db076b7631007349d24ca374077aea64c2
Instruction Fuzzy Hash: EF11E575500204AEE720DB19DD89FB6FBA8DF04724F148469ED058A781D3B9A948CAA1

Function 05803196 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 058031EC

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 291258cb7da2cfd63bf33e09a8cdee1d97272938febd50be5d52d8f3082be43d
Instruction ID: 117fcb72ddf36ed7998cc615f563cc60e68335892511f914c5b4af400a21ec4e
Opcode Fuzzy Hash: 291258cb7da2cfd63bf33e09a8cdee1d97272938febd50be5d52d8f3082be43d
Instruction Fuzzy Hash: FF116D716042049FDB60CF19DC84B66FBE8EF08210F0888AAED49CB696D735E948CB61

Function 0157B746 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0157B78E

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 94e0d933f76090302ed3b244dff3718ab45d94a9c4be65943588d19e700be0d5
Instruction ID: 4c37bea43717bd1c85edc76bbd065e0038a4acb359b15c26490bdd835719c5d2
Opcode Fuzzy Hash: 94e0d933f76090302ed3b244dff3718ab45d94a9c4be65943588d19e700be0d5
Instruction Fuzzy Hash: C0118272A002009FEB60CF29E886756FBE8EF04210F0C846ADD45CF646D235E404CB61

Function 0157BACE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0157BB16

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 94e0d933f76090302ed3b244dff3718ab45d94a9c4be65943588d19e700be0d5
Instruction ID: 8ecb114aab582adf582f95a04d8c79a89b719f66126bde27c61add5191d51713
Opcode Fuzzy Hash: 94e0d933f76090302ed3b244dff3718ab45d94a9c4be65943588d19e700be0d5
Instruction Fuzzy Hash: B91165726006448FEB20DF29E886766FBE8FF44210F08C86ADD49CF746D675E944CA71

Function 0157BEE4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0157BF38

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c47cb3c77f3878e3611af5344a2718e713c8c6c7339da71a650192eff9b07714
Instruction ID: 9e5daf5d8ba5a9440c1e2800070360449814cee2700fd0ef785d25460795c617
Opcode Fuzzy Hash: c47cb3c77f3878e3611af5344a2718e713c8c6c7339da71a650192eff9b07714
Instruction Fuzzy Hash: 6B11C2715097809FDB128F25DC85B52BFB4DF06620F0880DAED858F263D275A808CB62

Function 0157AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,4FFD7EB5,00000000,00000000,00000000,00000000), ref: 0157ACBD

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b34d8039cbc776bd97a38a6afdc6a017b81ca3dd844d8175c62a169ff9fed85a
Instruction ID: e74284643bbaeab0e0b842ae8b6b98cefcdb5ebceba51513a594337d772d2605
Opcode Fuzzy Hash: b34d8039cbc776bd97a38a6afdc6a017b81ca3dd844d8175c62a169ff9fed85a
Instruction Fuzzy Hash: 66010871500200AFE7218B19DD45BAAB7DCEF04224F08C466FD054F741D374A8488AB1

Function 0157B67C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0157B6D3

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: b1c9fee6b3b79635628121521f028eda153cfbaa12a325303320324a9b007f5a
Instruction ID: 170be0a53f3ad88ea16155ac2963faa3d6795c1f350f1a44eb26037a12d7707b
Opcode Fuzzy Hash: b1c9fee6b3b79635628121521f028eda153cfbaa12a325303320324a9b007f5a
Instruction Fuzzy Hash: 3E11A3714083809FDB11CF15DD45B56FFE4EF46320F09849AED458F262D279A804CB71

Function 0580088A Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,4FFD7EB5,00000000,?,?,?,?,?,?,?,?,6C823C58), ref: 058008CA

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 26b7f37473c23e2e3a077774a92a9c8cfd7a83a64c06693347f296e8e2640766
Instruction ID: 51c93d5f581b5464bf25a88a2377bea919cb04e304d1a3dce2cb01a810e8bb8f
Opcode Fuzzy Hash: 26b7f37473c23e2e3a077774a92a9c8cfd7a83a64c06693347f296e8e2640766
Instruction Fuzzy Hash: 961152716046448FEB60CF65DC49B66FBE4EF44210F08846ADD45CB691D775D844CAA1

Function 05802442 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0580248E

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 2b8fc46a8868e06428056e0c7b455a401c89379e58c2eee954838bd443808e1e
Instruction ID: 6b6bb5af7049649f598dc37b9e0cb57fa255d11a5afb2cff10886b64d6f667db
Opcode Fuzzy Hash: 2b8fc46a8868e06428056e0c7b455a401c89379e58c2eee954838bd443808e1e
Instruction Fuzzy Hash: 10115E36500A049FDBA0CF55D848B66FBE4EF08210F0888AADD4A8B655D375E858CBB1

Function 0157B982 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0157B9BF

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 847f0a51e65c43103e83abf39a28fdf1a1fa1f39efe496572867254dd2990dbb
Instruction ID: 9ca1f315c4aee771bb4e5ce2855b578da1da8c4cbded56fcfb574f8d41a78c3d
Opcode Fuzzy Hash: 847f0a51e65c43103e83abf39a28fdf1a1fa1f39efe496572867254dd2990dbb
Instruction Fuzzy Hash: D301B9716006409FEB10CF2AE885766FBE4EF04220F08C4AADD45CF752D375D444CB61

Function 0157B8CE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0157B908

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 903d95a914469f7205a67ed1235d15fb43d72023bc1ac75b8551b33a4dccee85
Instruction ID: d305a2d2a4543c9205be00f768729770500ba6626525f5a67268c2e61900e6ae
Opcode Fuzzy Hash: 903d95a914469f7205a67ed1235d15fb43d72023bc1ac75b8551b33a4dccee85
Instruction Fuzzy Hash: 7501B572A002408FEB10CF29E886766FBD8EF04220F18C4AADD45CF742D779D844CAA2

Function 0157A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157A5DE

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c92d9db3d07b5834198f1f0e8a285fa65fad347fe1f11635fb66de0aa58bc15a
Instruction ID: eee6df33c2b15edd5549a84f71b041733e08d3f1d125ad5a06ec14a5210da72b
Opcode Fuzzy Hash: c92d9db3d07b5834198f1f0e8a285fa65fad347fe1f11635fb66de0aa58bc15a
Instruction Fuzzy Hash: 54018E728006009FDB218F55D945B56FFE0EF48210F0888AADE464B612C336A414DFA2

Function 0157A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0157A77E

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 390cdc8c339132681a0f962af9fd760a56f703e0bf4ccf1d42b4f5281ba917bd
Instruction ID: e1959b3fa25bb459c395c92108899b81bff3c11a0316791e4dc3abe352850ba3
Opcode Fuzzy Hash: 390cdc8c339132681a0f962af9fd760a56f703e0bf4ccf1d42b4f5281ba917bd
Instruction Fuzzy Hash: 8301A271500600ABD250DF1ADD86B66FBE8FB88A20F148159EC089BB41D735F915CBE6

Function 0580168A Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 058016DA

Memory Dump Source

Source File: 00000001.00000002.4113616956.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5800000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c9aae37c34e80f790a8ce13038b5708399a2076b93900d6221212572ea6a5fc1
Instruction ID: e4414635f71fe28e6d86c4308da6f93f7db1df9d2a11f05aade409a4f4816ab3
Opcode Fuzzy Hash: c9aae37c34e80f790a8ce13038b5708399a2076b93900d6221212572ea6a5fc1
Instruction Fuzzy Hash: 9101A271500600ABD250DF1ADD86F66FBE8FB88A20F14811AEC089BB41D771F915CBE6

Function 0157A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0157A1C1

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: bce66d7e09fbd561f43b7bc1200863efc4292b2a5de48002d105d332e38bbef9
Instruction ID: fa3d5c5700e2a69dbaf0f49ec3693966d74c5e3e97fd7ada01f02a268d1cdcce
Opcode Fuzzy Hash: bce66d7e09fbd561f43b7bc1200863efc4292b2a5de48002d105d332e38bbef9
Instruction Fuzzy Hash: F50192729046409FEB20CF59E945B56FBE4FF44320F08C8AADD454F612D375A448CBA1

Function 0157B69E Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 0157B6D3

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: dbbe38c807b6ec89c6fbb9a798cea4cf15d0d1b178924255457460dc3903732f
Instruction ID: aa4f71d300531338f8506bd3fefa43aab03d02b9505881c860fa8ce0dcaba76a
Opcode Fuzzy Hash: dbbe38c807b6ec89c6fbb9a798cea4cf15d0d1b178924255457460dc3903732f
Instruction Fuzzy Hash: E30184719046409FEB10DF19E945765FBE4EF44220F08C8AADD458F656D379A444CBB1

Function 0157BF06 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0157BF38

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 941984f04962b943e7687748e5f0ca4f72600176b914a6686e1a58ce7537a727
Instruction ID: 50e6d0a45f827538b6cdedd02e3843515ce40558f2c319d1885624d102a57108
Opcode Fuzzy Hash: 941984f04962b943e7687748e5f0ca4f72600176b914a6686e1a58ce7537a727
Instruction Fuzzy Hash: 2501A9755006448FDB109F19E986765FBE4EF04624F08C4AADD468F752D37AE848CEA2

Function 0569690A Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: 810f62594c6c6980843750a7e9a5dc08d8ec3369b07bfac603c3fcc7c950ae87
Instruction ID: 69f9f2de3cfa16f50bb30e82b6fbc7f44ff491c6ea4bd1589f35c77f82e404d3
Opcode Fuzzy Hash: 810f62594c6c6980843750a7e9a5dc08d8ec3369b07bfac603c3fcc7c950ae87
Instruction Fuzzy Hash: 41D1F874A01228CFDB29DB74D994BADB7B6FB49304F1041EAD509AB394DB399E81CF40

Function 0157AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0157AA44

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1323d2367fa54d8062f5eecda1b62453d6be8cde511b54a2fe7df3b2ccb5a2f0
Instruction ID: d474f467361a92852b3aa874b6091498ca4db4789282a1da7626de6f1342efb6
Opcode Fuzzy Hash: 1323d2367fa54d8062f5eecda1b62453d6be8cde511b54a2fe7df3b2ccb5a2f0
Instruction Fuzzy Hash: 16F0F431800640CFDB209F19E989769FBE0EF44220F0CC4AADD050F752D3B9A848CFA2

Function 05696A6B Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

\Ok, xrefs: 05696AF9

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: \Ok
API String ID: 0-3677890257
Opcode ID: ccc8c1a39d546b8c5d2632d114858b0ffae11b1e0bf808e7674d6cfb1b7ddd7c
Instruction ID: 56a79902b0cd77a4b6717d9e30b3924b7626626459373d6f147b878f351e5210
Opcode Fuzzy Hash: ccc8c1a39d546b8c5d2632d114858b0ffae11b1e0bf808e7674d6cfb1b7ddd7c
Instruction Fuzzy Hash: 7CB11A70A01228CFDB29DB74D9957ADB7B6FB89304F5041AAD509AB390DF399E81CF40

Function 05693B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

2k, xrefs: 05693C2E

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: a1385a5bc71640dfedae328f875f6089df498a1c405353a4e838aa537f23723d
Instruction ID: a62b0dc2ac2488ad888d3a1d710cf35194c863e9aac86bf22e3b79f52720b88b
Opcode Fuzzy Hash: a1385a5bc71640dfedae328f875f6089df498a1c405353a4e838aa537f23723d
Instruction Fuzzy Hash: B0413A30A00218CFDB28DBB5C955BECB7B2BF45308F5045A9D009AB794DB794E85CF61

Function 0157AB7C Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0157ABF0

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a7b949fc32122ed5a08b03ac2829f2f0cece103c066fe685a6ae1db57f501715
Instruction ID: 1a0dd5e727d48b89020db277a4e355d1c223dc0ed1f9dac5dabda6a3ab7b77a1
Opcode Fuzzy Hash: a7b949fc32122ed5a08b03ac2829f2f0cece103c066fe685a6ae1db57f501715
Instruction Fuzzy Hash: B421F6715097809FD7028F29EC95752BFA8EF06220F0D84DAED858F2A3D2345908CB61

Function 0157BCE4 Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0157BD50

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 77b41bb19fcce0b82e5e0077fc87aa9ab8fe8a369693506ef35932c45765b5b3
Instruction ID: 6c5e3a909cb474ea16066d2d96194c15ced87ed1fecd592688b9eca5570c72a1
Opcode Fuzzy Hash: 77b41bb19fcce0b82e5e0077fc87aa9ab8fe8a369693506ef35932c45765b5b3
Instruction Fuzzy Hash: EF21DE725097C05FDB028B25DC95B92BFB4AF07220F0984DAE8858F663D234A908CB62

Function 0157A61E Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0157A690

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ce36ee73801b5f8e277575bc882a330f9827a581deb5d1e3a2d5e9bfe94123a7
Instruction ID: 5fd39961ba605f9055ec46637f9802b2b39580c2f83b36bdea18faf49e867986
Opcode Fuzzy Hash: ce36ee73801b5f8e277575bc882a330f9827a581deb5d1e3a2d5e9bfe94123a7
Instruction Fuzzy Hash: 1721587180D3C05FDB138B259C95656BFB4EF47220F0D84DBD9848F2A3D269A908CBB2

Function 0157BD1E Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0157BD50

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8bb8d90c0e6b7181b01b9a0d8931fbcc96e51f1d1131b0e7eef42cfa663de0b2
Instruction ID: 64b9ea8d9300ad1cfc7843f14e99e33a7823b4bbbcce4ca8645a6fb3a47a375d
Opcode Fuzzy Hash: 8bb8d90c0e6b7181b01b9a0d8931fbcc96e51f1d1131b0e7eef42cfa663de0b2
Instruction Fuzzy Hash: 8001A7719006408FDB10DF19E98A756FBE4EF44220F08C4BADD4A8F756D275E848CBB2

Function 0157ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0157ABF0

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 01dc6a37c4502beab1906c4fcd225d759812c8e6bf53259a1e45a858b4c3b47f
Instruction ID: cd2d1a4ae8eea634557fe29e9fe086c696bc6364bd3094dd5c6996e0eafc7e00
Opcode Fuzzy Hash: 01dc6a37c4502beab1906c4fcd225d759812c8e6bf53259a1e45a858b4c3b47f
Instruction Fuzzy Hash: 470184719046449FEB108F19E98576AFBE8EF44220F0CC8AAED498F656D279D844CAA1

Function 0157A65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0157A690

Memory Dump Source

Source File: 00000001.00000002.4111385655.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_157a000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b662de58bf54dfa19aa25d8bcfd619cf8bd36fb90cfb1998629f88ca0ecaac2c
Instruction ID: 3e705d856d48c8601de36db6c297040f62985994d65c58774a6e6d5fca79aa49
Opcode Fuzzy Hash: b662de58bf54dfa19aa25d8bcfd619cf8bd36fb90cfb1998629f88ca0ecaac2c
Instruction Fuzzy Hash: 4E01D6719002408FEB10CF19E98976AFBE4EF44220F0CC8AADD498F756D379E444CEA2

Function 05698408 Relevance: 1.2, Instructions: 1245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07c2d216c93ec7e3272ec327ab57a1de8a32e144f1141a8b5d3a0cdbfaca346
Instruction ID: b4501641ae241376302bbe32e88b51b89642f2d94cb3340ffbe97bba7b31e46f
Opcode Fuzzy Hash: d07c2d216c93ec7e3272ec327ab57a1de8a32e144f1141a8b5d3a0cdbfaca346
Instruction Fuzzy Hash: C2C26C34B00165DFEF258B29E9107A97BF6FB4D704F0044AB984997B84CB389DA5EF60

Function 056984ED Relevance: 1.1, Instructions: 1075COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035004433490fadbd8c3216474ad00cfdd851059d18dbab0854a6377b5b606dc
Instruction ID: 3470103e8410ab7e7b7384219d83ada3a359e58487f039de8f2616869975134f
Opcode Fuzzy Hash: 035004433490fadbd8c3216474ad00cfdd851059d18dbab0854a6377b5b606dc
Instruction Fuzzy Hash: 2C929234704160DBEF258B29D9107AD7BABFB4D714F00446B9889A7B84CF3C9DA5EB60

Function 05699A30 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce873c064338ac1fa396a73ffda6a7fb6108a9a309dd00306675b16db4aef62
Instruction ID: d1e8c026667367643b436e0ffed7aaa0ef85d2b404582ae089ce40eae1555c2e
Opcode Fuzzy Hash: cce873c064338ac1fa396a73ffda6a7fb6108a9a309dd00306675b16db4aef62
Instruction Fuzzy Hash: 6FD14C30B00215EFDB09DFB5E45156E77B6FF88248B608529E816A73A4DF3E9C52CB90

Function 05699A21 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20922a32322d570a3b8b359d0c90b7ecee12b25f6f87440c335eecc855e8000a
Instruction ID: ac223753e269b5c181517043d359cad89433192e18d1aefd0c5dbcc9ea73f88e
Opcode Fuzzy Hash: 20922a32322d570a3b8b359d0c90b7ecee12b25f6f87440c335eecc855e8000a
Instruction Fuzzy Hash: 58A13C34B00215DFDB19DBB4E45166E77B6FF98348B60802EE816973A4DF3A9C62CB50

Function 05699B35 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770bb62f7af0d347d00c0add87d03b3d824cfff8ddd2c71c8c3c2b07c34e8fcd
Instruction ID: 38bcc6df762908a4ca048bee19dd3bc550ccba399c00345e8ea8c24070d060ad
Opcode Fuzzy Hash: 770bb62f7af0d347d00c0add87d03b3d824cfff8ddd2c71c8c3c2b07c34e8fcd
Instruction Fuzzy Hash: CF913B34B00215DFDB19DBB4E45156E73B6FF98248B60842EE816973A4DF3E9C62CB90

Function 05699BE3 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ff15cfe208f8377e7578771e06770d317d78a2438225d1a6666abd042e315a
Instruction ID: 54732a4bee876eb2502a122855969dba1e856f7e8938ec8d78bff718f802aa47
Opcode Fuzzy Hash: e2ff15cfe208f8377e7578771e06770d317d78a2438225d1a6666abd042e315a
Instruction Fuzzy Hash: 35813A34B00214DFDB19DB74E45166E73B6FF98248B60852EE816973A4DF3E9C62CB90

Function 05696B55 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c766afc4cf260a58b413b19ba4af806b47f98e2eb2715bee7d23d4140860e0b
Instruction ID: 63f7af05b1854787297bfeede3491b4351c4e86aaa816f06d93a8b4b91ba1670
Opcode Fuzzy Hash: 5c766afc4cf260a58b413b19ba4af806b47f98e2eb2715bee7d23d4140860e0b
Instruction Fuzzy Hash: 89913F70A00224CFDB29DB74D9957ADB7B6EF89308F5041A995096B390DF399E82CF50

Function 05699C65 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a786dd61b9c09dbd2a311fb8ec2278f1a96199fa9500f35d03a6f38c923a44
Instruction ID: 275efb3b7824bdb36d3bcacf705844746fed72235de34e025825a918c99a2b93
Opcode Fuzzy Hash: 24a786dd61b9c09dbd2a311fb8ec2278f1a96199fa9500f35d03a6f38c923a44
Instruction Fuzzy Hash: 70714B34B00214DFDB199B74E45166E73B6FF98318B60852EE806977A4DF3E9C62CB90

Function 05696C46 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3519d57859d80c94e1aa0187763b12c86f822d3477972c70394fd139670e8bef
Instruction ID: 9918870dc7173b56415ee6dec8e5ea21d36bfc0baf139a0066f9fa48c4f2f02a
Opcode Fuzzy Hash: 3519d57859d80c94e1aa0187763b12c86f822d3477972c70394fd139670e8bef
Instruction Fuzzy Hash: 8C613E70A40228CFDB29DB74D895BADB7B6FF85308F1041AA95096B390DF399D86CF50

Function 05699D55 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40548d18ecce47bd19dd071ab395ce3f399b953480ee46cd97dc2db75fb28f6b
Instruction ID: 25e7115ebca4ca761d220c4b3fab26186f1553b0937a058c1d842518a373ea67
Opcode Fuzzy Hash: 40548d18ecce47bd19dd071ab395ce3f399b953480ee46cd97dc2db75fb28f6b
Instruction Fuzzy Hash: EB515D34B00115DFDB189BB8E45166E73A6EF88218F20852EE816977A4DF3D9C21CB90

Function 0569A330 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c111acbd23bed58df927add87721ae9921e49cb7a25d5705097769f6fadf11e0
Instruction ID: c4e9f156dcee9019d0a4893e0cc1e9421fac92c2a2ce73a265b5a7d32a30e47b
Opcode Fuzzy Hash: c111acbd23bed58df927add87721ae9921e49cb7a25d5705097769f6fadf11e0
Instruction Fuzzy Hash: EA31A070B002059FDF18CBB9D958BAEBBE6BF88614F248129E405EB790DF749C05CB90

Function 01A908CB Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112667707.0000000001A90000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a90000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02819752b450b9f18a2decb1606c034ac5b01139cfc144153c9dc6b8081c18c6
Instruction ID: 71ba72006e59f0f3eb8a97d0dc854b82484f3380d3f4ccc6ad28fba1765fc509
Opcode Fuzzy Hash: 02819752b450b9f18a2decb1606c034ac5b01139cfc144153c9dc6b8081c18c6
Instruction Fuzzy Hash: 0E214F3510D7C08FDB13CB20D950B55BFB5AF47218F1986DED8858B6A3C33A9946CBA2

Function 06922500 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114903928.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6920000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf768790c77ec2860d3984a3f2d87a72e06b6bf5101c09e72b1df1ed39b0a5f
Instruction ID: bc6539142b6a28dc942a86bd658259574ac3ce1d8b1aa78954410b545f71033f
Opcode Fuzzy Hash: 0cf768790c77ec2860d3984a3f2d87a72e06b6bf5101c09e72b1df1ed39b0a5f
Instruction Fuzzy Hash: 1E11EAB5908301AFC350CF19D840A5BFBE4FB88664F04896EF898D7311D235E9048FA2

Function 05697350 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6967fcac8f3184bc49823e9296e4d804ad40fc23b0e2dd00a215cd83e457c41e
Instruction ID: a3749d8cbb5e328331f18305ec0ebade44ecc505a3d339fc67abc5949f00b5f7
Opcode Fuzzy Hash: 6967fcac8f3184bc49823e9296e4d804ad40fc23b0e2dd00a215cd83e457c41e
Instruction Fuzzy Hash: 6D11C03422A3818FC7262738A8140A93BB6DFC322571405FFD485DF3A2CB2E4C4AC362

Function 01A90904 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112667707.0000000001A90000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a90000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1720567fd7345a35872b4d22e221bb4d6648b473d18e3303402238b09c2888
Instruction ID: a4cc11cd4a2c2aa7d41d98e9d40dcfde12d147d00417cb1b6f06999aba3ddfc6
Opcode Fuzzy Hash: 0a1720567fd7345a35872b4d22e221bb4d6648b473d18e3303402238b09c2888
Instruction Fuzzy Hash: 3911DA31204244DFEB15CB14D640B16F7E9AB89708F28C9ACF9499B753C77BD883C651

Function 0569A051 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43da8c9dae8ac2d6e2a6acf9cc3e41ba6e0a2e9d14153f4ecb9309a8ccc60213
Instruction ID: f44f2bde4e3036d2856b39f48e5b24dfc461fd1455d917453bfa75bc34f02a1a
Opcode Fuzzy Hash: 43da8c9dae8ac2d6e2a6acf9cc3e41ba6e0a2e9d14153f4ecb9309a8ccc60213
Instruction Fuzzy Hash: B4115A31B002558FCB55DBBC98115AEBBF6EB8A25872045BEC405E7350DB3A4D12CBA0

Function 0158B698 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111469242.000000000158A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_158a000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc6bcd9f94649e71e03c98c0b0b9000da0011d7860f62e456fc96f6a6459696
Instruction ID: 04efaa38f0b6b6600bc0f714766e63922a0b165757ac5560ff575adc0a81f94d
Opcode Fuzzy Hash: ecc6bcd9f94649e71e03c98c0b0b9000da0011d7860f62e456fc96f6a6459696
Instruction Fuzzy Hash: 6B11FAB5908301AFD350CF19DC45E5BFBE8EB88660F04892EF95997311D375E9088FA2

Function 069223A4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114903928.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6920000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07be26a2e79b4e578750eb9084ea2d74dc760eab4c0aeb1cf67a778accf0d2c8
Instruction ID: 0b27681485eaa4a0effee754fdb0c729b149ed0f7a34e789249f631695b24806
Opcode Fuzzy Hash: 07be26a2e79b4e578750eb9084ea2d74dc760eab4c0aeb1cf67a778accf0d2c8
Instruction Fuzzy Hash: 9B11FAB5908301AFD350CF19DC85E5BFBE8EB88660F04882EF95997311D235E9088FA2

Function 05693C66 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa3a6237bf9552beffd1a8938950530d05111c0407ef3730934352d4aa3f60a
Instruction ID: 543a3837eac66230db5a36538a5b044354575c37d3ae388e4d9955e0793f95c3
Opcode Fuzzy Hash: baa3a6237bf9552beffd1a8938950530d05111c0407ef3730934352d4aa3f60a
Instruction Fuzzy Hash: 91113D74E01118CFEF28DBB9C8947ECB7B1BF48204F50456AC41AAB380C7744945CF61

Function 01A905E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112667707.0000000001A90000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a90000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461010e1789382c359a8340c923079a78ea4f14d9f7f53c7284846ec1582ffbb
Instruction ID: a538830840624c9e3902305f4240e7199c7d13ad6342a51909724e4429aa0b96
Opcode Fuzzy Hash: 461010e1789382c359a8340c923079a78ea4f14d9f7f53c7284846ec1582ffbb
Instruction Fuzzy Hash: 4DF0F9B64087806FC7118B15AC40863FFB8EB86230709C4AFEC498B712D235B808C7B1

Function 056901E1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00080807a8786d4ce192dc5cd6d0446fa1b034edc2b7d19ed5449438be68209a
Instruction ID: 1457aaad1b9f7e0ef8d7f1aed66ac721f71a41ea94378660aa39209d22749896
Opcode Fuzzy Hash: 00080807a8786d4ce192dc5cd6d0446fa1b034edc2b7d19ed5449438be68209a
Instruction Fuzzy Hash: 20015B34616202CFC714EB28E55CAAC77E2FF84219F408C6CA4568B719EB799C489B92

Function 05690006 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2226ddf3b263793070b53b66db11080c432169d30863de190cfa5d01ec4015a2
Instruction ID: eacc2a6cea21294be07aba72600dfd9fbb1bada6ebc4120a50665f14fbb50ab1
Opcode Fuzzy Hash: 2226ddf3b263793070b53b66db11080c432169d30863de190cfa5d01ec4015a2
Instruction Fuzzy Hash: 9D011E7144A3829FE313C720E859B817FA8BB52718F4A86DBC040CF5A7D3AC9949D762

Function 01A909C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112667707.0000000001A90000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a90000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c438a27276e0968fcdc2a499c6d87a0b64f2769294ce5e65665db8adb6b8d55a
Instruction ID: 79eb8b3c1d3fe0e19283268be3316530923c2563ae4b47afb5ddf81fff41806e
Opcode Fuzzy Hash: c438a27276e0968fcdc2a499c6d87a0b64f2769294ce5e65665db8adb6b8d55a
Instruction Fuzzy Hash: 83F0FB35104644DFC706CB04D680B15FBE6EB89718F24CAA9E9494B752C737A852DA81

Function 01A90606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4112667707.0000000001A90000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a90000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ee505fb1eb58ae09fa070e268befbee4a8f2a02bf9a4f0757193406ab346ea
Instruction ID: 07bd356d40a40cb143ee4e5eb15ae5c9e34adf2e98dbac37074afc1415526b0b
Opcode Fuzzy Hash: c2ee505fb1eb58ae09fa070e268befbee4a8f2a02bf9a4f0757193406ab346ea
Instruction Fuzzy Hash: 14E092B6A006004BD650CF0AFC41452F7D8EB84630708C47FDC0D8BB01E239B908CAE5

Function 0158B6E7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111469242.000000000158A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_158a000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671f7eea791a1eeb3a37049e884418e38741aa5da7f8e8d0ecffd943de3ab684
Instruction ID: df5c2f4d374b7e2d62074ebb56efc7995c0f22e71cf1a4c790df71c95df4febc
Opcode Fuzzy Hash: 671f7eea791a1eeb3a37049e884418e38741aa5da7f8e8d0ecffd943de3ab684
Instruction Fuzzy Hash: 38E0D8B294020467D3108F0A9C46F53FB98DB50A31F08C567ED095B701E276B9048AF1

Function 069223F3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114903928.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6920000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894e3753979ff009621a630bdd5add6febecc227336e1c4e0e1d3c95c980bedd
Instruction ID: 95b873dd6dabca8340a5bcedcd9f8f0f734df0c664afcde69a250dc8aa16a51a
Opcode Fuzzy Hash: 894e3753979ff009621a630bdd5add6febecc227336e1c4e0e1d3c95c980bedd
Instruction Fuzzy Hash: 51E0D8B290020467D2509E0A9C46F53FBD8DB40A30F08C467ED091B702E176B90489F1

Function 06921E17 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114903928.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6920000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01946c29bdf914ff7ff657c36bd96b1b5cb8d216fe4fd413a7c8c76ebc0d1d5b
Instruction ID: fefcd8a671c5aed0e4d9f10b44dffb363ede4196d9634763379e762b4c0f85a6
Opcode Fuzzy Hash: 01946c29bdf914ff7ff657c36bd96b1b5cb8d216fe4fd413a7c8c76ebc0d1d5b
Instruction Fuzzy Hash: DCE0D8B290020067D2109E0A9C4AF53FBD8DB80A30F08C467ED091B701E176B914C9F1

Function 0692256B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4114903928.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6920000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d110968dcc53e65ab9ce69b66ed0d3866cabeef084d8d06b7e87d41be1ac475c
Instruction ID: d02dbfab11faa8f51389c00ac168e6f631f1837c8107cba41b96748c5173e7b8
Opcode Fuzzy Hash: d110968dcc53e65ab9ce69b66ed0d3866cabeef084d8d06b7e87d41be1ac475c
Instruction Fuzzy Hash: 07E0D8B294020067D3108E0A9C46F53FBD8DB94A31F08C46BFD091B741E176B91489F1

Function 05694200 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95184359733b94c19e146f539ca49a193ac8806c2defc62342ab940675f0793
Instruction ID: 79e0dca96407bdc5e2e5df696e429978ce32bed6382a12a985b9a70e131aa641
Opcode Fuzzy Hash: e95184359733b94c19e146f539ca49a193ac8806c2defc62342ab940675f0793
Instruction Fuzzy Hash: 10E08630A5A384DFC745CF7899114DC7FB4AB5221871101EBD445DF262D6350E49DB12

Function 0569A2EF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c199cab2177ee6df3d542525e4b2680d52f6c5ebcba18117cd9acc09430bf6d
Instruction ID: 78a6740bc46597cfab92e5b30a7da39219bdcfa1973408dbceb204ed6dbe2dfa
Opcode Fuzzy Hash: 8c199cab2177ee6df3d542525e4b2680d52f6c5ebcba18117cd9acc09430bf6d
Instruction Fuzzy Hash: 6BE08C3090A3848FCB068BB4A9190FC3FB49A1311031401DFC855DB623C92A090AC712

Function 015723F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111366839.0000000001572000.00000040.00000800.00020000.00000000.sdmp, Offset: 01572000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1572000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251d8791fb02ab6ee4bf3e55fce897ecdfa7106f59838405a7455fc56bf5bac4
Instruction ID: 033056d0d279bc670656b12051d8a0b80493d8d21101bb760034e0bb1a4dc5ac
Opcode Fuzzy Hash: 251d8791fb02ab6ee4bf3e55fce897ecdfa7106f59838405a7455fc56bf5bac4
Instruction Fuzzy Hash: 2FD02E3A2006C08FE3228A0CD2A5F893BE4BB40708F4A04F9A800CF763C768D480C200

Function 015723BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4111366839.0000000001572000.00000040.00000800.00020000.00000000.sdmp, Offset: 01572000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1572000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7a5aeaab19c60426b62333c0de322046c035f0d54a4555b7e72e7e1a31a775
Instruction ID: 2762dfed0779a3ea96c7286610e2454081ea0a4b0426aecd5562b7abd916cbc4
Opcode Fuzzy Hash: ad7a5aeaab19c60426b62333c0de322046c035f0d54a4555b7e72e7e1a31a775
Instruction Fuzzy Hash: 7ED05E342006814FD725DA0CD2D5F5D3BD4BF40714F0644ECAC108F762C7A4D8C0DA00

Function 05694210 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4113496277.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5690000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5487e478d8f49ff928bdc7030a14bca8e5f5158d667b870a17e6d0112db9936d
Instruction ID: b573c433ddd39a2e918c39a1a9ae29c43834ff4c3b14db1bc7ce5ffc09ee0027
Opcode Fuzzy Hash: 5487e478d8f49ff928bdc7030a14bca8e5f5158d667b870a17e6d0112db9936d
Instruction Fuzzy Hash: 23D0A930A01208EF8B00DFA8D90089DBBF8EB05208B0000AAA809E7700EE311E08EB81

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gReXLT7XjR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Kaspersky Anti-Virus Flash.exe

C:\Users\user\AppData\Local\DeadMom.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\445c7762b8f06a76352fcac2e22df159Windows Update.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DeadMom.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gReXLT7XjR.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\History\DeadMom.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\DeadMom.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DeadMom.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\445c7762b8f06a76352fcac2e22df159Windows Update.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadMom.exe

Windows Analysis Report
gReXLT7XjR.exe