Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample name:	server.exe
Analysis ID:	1584742
MD5:	e4b99200fb42ee229fbb41f2cf56d8f8
SHA1:	edf6652f563fdc69788fb9c4e8b9499c412095fd
SHA256:	adae7b74db9b2c08abcc5f6b0165896726a36eb412e780710e242a97b12554f9
Tags:	exeNjRATuser-lontze7
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Disables zone checking for all users

Drops PE files to the document folder of the user

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Sigma detected: Potentially Suspicious Malware Callback Communication

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

server.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\server.exe" MD5: E4B99200FB42EE229FBB41F2CF56D8F8)

netsh.exe (PID: 7668 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "dc81ba2078dcc6e9b83f78a887be4629", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a27:$a2: SEE_MASK_NOZONECHECKS 0x156c9:$a3: Download ERROR 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c06:$a5: netsh firewall delete allowedprogram "
server.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2 0x156e7:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156c9:$s6: Download ERROR 0x13754:$s8: Select * From AntiVirusProduct
server.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1546b:$: set cdaudio door closed 0x1542f:$: set cdaudio door open 0x15c8f:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
server.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a27:$reg: SEE_MASK_NOZONECHECKS 0x156ad:$msg: Execute ERROR 0x15701:$msg: Execute ERROR 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Explower.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Program Files (x86)\Explower.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a27:$a2: SEE_MASK_NOZONECHECKS 0x156c9:$a3: Download ERROR 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c06:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2 0x156e7:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156c9:$s6: Download ERROR 0x13754:$s8: Select * From AntiVirusProduct
C:\Program Files (x86)\Explower.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1546b:$: set cdaudio door closed 0x1542f:$: set cdaudio door open 0x15c8f:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Program Files (x86)\Explower.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a27:$reg: SEE_MASK_NOZONECHECKS 0x156ad:$msg: Execute ERROR 0x15701:$msg: Execute ERROR 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
Click to see the 49 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x15827:$a2: SEE_MASK_NOZONECHECKS 0x154c9:$a3: Download ERROR 0x15a79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13a06:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15827:$reg: SEE_MASK_NOZONECHECKS 0x154ad:$msg: Execute ERROR 0x15501:$msg: Execute ERROR 0x15a79:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: server.exe PID: 7596	JoeSecurity_Njrat	Yara detected Njrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.server.exe.dc0000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.server.exe.dc0000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a27:$a2: SEE_MASK_NOZONECHECKS 0x156c9:$a3: Download ERROR 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c06:$a5: netsh firewall delete allowedprogram "
0.0.server.exe.dc0000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del " 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2 0x156e7:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156c9:$s6: Download ERROR 0x13754:$s8: Select * From AntiVirusProduct
0.0.server.exe.dc0000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1546b:$: set cdaudio door closed 0x1542f:$: set cdaudio door open 0x15c8f:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
0.0.server.exe.dc0000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a27:$reg: SEE_MASK_NOZONECHECKS 0x156ad:$msg: Execute ERROR 0x15701:$msg: Execute ERROR 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.server.exe.dc0000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c06:$s1: netsh firewall delete allowedprogram 0x13c58:$s2: netsh firewall add allowedprogram 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156ad:$s4: Execute ERROR 0x15701:$s4: Execute ERROR 0x156c9:$s5: Download ERROR
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 77.90.22.45, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\server.exe, Initiated: true, ProcessId: 7596, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\server.exe, ProcessId: 7596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Suricata Signatures

ET MALWARE Bladabindi/njRAT CnC Command (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T12:39:59.703675+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.4	49730	77.90.22.45	5552	TCP

ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T12:39:59.703675+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.4	49730	77.90.22.45	5552	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T12:40:05.918199+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.4	49730	77.90.22.45	5552	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: server.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.0.server.exe.dc0000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "dc81ba2078dcc6e9b83f78a887be4629", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Explower.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Explower.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\Documents\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\Favorites\Explower.exe	ReversingLabs: Detection: 84%
Source: C:\Windows\SysWOW64\Explower.exe	ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: server.exe	Virustotal: Detection: 72%			Perma Link
Source: server.exe	ReversingLabs: Detection: 84%

Yara detected Njrat

Source: Yara match	File source: server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: server.exe

Joe Sandbox ML: detected

Source: server.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\server.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: server.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: server.exe, Usb1.cs	.Net Code: infect
Source: Explower.exe.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe0.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe1.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe2.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe3.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe4.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe5.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe6.0.dr, Usb1.cs	.Net Code: infect
Source: Explower.exe7.0.dr, Usb1.cs	.Net Code: infect

Source: server.exe, 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: server.exe, 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: server.exe, 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: server.exe	Binary or memory string: \autorun.inf
Source: server.exe	Binary or memory string: [autorun]
Source: server.exe	Binary or memory string: autorun.inf
Source: Explower.exe2.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe2.0.dr	Binary or memory string: [autorun]
Source: Explower.exe2.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe.0.dr	Binary or memory string: [autorun]
Source: Explower.exe.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe1.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe1.0.dr	Binary or memory string: [autorun]
Source: Explower.exe1.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe4.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe4.0.dr	Binary or memory string: [autorun]
Source: Explower.exe4.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe3.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe3.0.dr	Binary or memory string: [autorun]
Source: Explower.exe3.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe7.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe7.0.dr	Binary or memory string: [autorun]
Source: Explower.exe7.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe6.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe6.0.dr	Binary or memory string: [autorun]
Source: Explower.exe6.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe0.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe0.0.dr	Binary or memory string: [autorun]
Source: Explower.exe0.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe5.0.dr	Binary or memory string: \autorun.inf
Source: Explower.exe5.0.dr	Binary or memory string: [autorun]
Source: Explower.exe5.0.dr	Binary or memory string: autorun.inf

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.4:49730 -> 77.90.22.45:5552
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.4:49730 -> 77.90.22.45:5552
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.4:49730 -> 77.90.22.45:5552

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 77.90.22.45:5552

Source: Joe Sandbox View

ASN Name: ASGHOSTNETDE ASGHOSTNETDE

Source: unknown	TCP traffic detected without corresponding DNS query: 77.90.22.45
Source: unknown	TCP traffic detected without corresponding DNS query: 77.90.22.45
Source: unknown	TCP traffic detected without corresponding DNS query: 77.90.22.45
Source: unknown	TCP traffic detected without corresponding DNS query: 77.90.22.45
Source: unknown	TCP traffic detected without corresponding DNS query: 77.90.22.45

Source: C:\Users\user\Desktop\server.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: server.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: server.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: server.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: server.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: server.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\Desktop\server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\server.exe	File created: C:\Windows\SysWOW64\Explower.exe			Jump to behavior
Source: C:\Users\user\Desktop\server.exe	File created: C:\Windows\SysWOW64\Explower.exe:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_05594298		0_2_05594298
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_05594269		0_2_05594269

Source: server.exe, 00000000.00000002.4102476110.00000000011EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs server.exe

Source: server.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: server.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: server.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: server.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: server.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: server.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@4/20@0/1

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_056C250A AdjustTokenPrivileges,		0_2_056C250A
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_056C24D3 AdjustTokenPrivileges,		0_2_056C24D3

Source: C:\Users\user\Desktop\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Users\user\Desktop\server.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Users\user\Desktop\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\dc81ba2078dcc6e9b83f78a887be4629

Source: C:\Users\user\Desktop\server.exe

File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt

Jump to behavior

Source: server.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: server.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\server.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: server.exe	Virustotal: Detection: 72%
Source: server.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\server.exe

File read: C:\Users\user\Desktop\server.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\server.exe "C:\Users\user\Desktop\server.exe"
Source: C:\Users\user\Desktop\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\server.exe" "server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: server.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\server.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: server.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: server.exe, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe0.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe1.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe2.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe3.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe4.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe5.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe6.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Explower.exe7.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_016C05E0 push cs; ret		0_2_016C05E1
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_016C0710 push es; ret		0_2_016C0711

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\server.exe

File created: C:\Users\user\Documents\Explower.exe

Jump to dropped file

Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Windows\SysWOW64\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\AppData\Local\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Program Files (x86)\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\Documents\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\Favorites\Explower.exe	Jump to dropped file

Source: C:\Users\user\Desktop\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to dropped file

Source: C:\Users\user\Desktop\server.exe

File created: C:\Windows\SysWOW64\Explower.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Jump to dropped file

Source: C:\Users\user\Desktop\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe			Jump to behavior
Source: C:\Users\user\Desktop\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\server.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Memory allocated: 3430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Memory allocated: 1770000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\server.exe	Window / User API: threadDelayed 760	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Window / User API: threadDelayed 5811	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Window / User API: threadDelayed 2788	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Window / User API: foregroundWindowGot 747	Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Window / User API: foregroundWindowGot 748	Jump to behavior

Source: C:\Users\user\Desktop\server.exe TID: 7620	Thread sleep count: 760 > 30	Jump to behavior
Source: C:\Users\user\Desktop\server.exe TID: 7620	Thread sleep time: -76000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\server.exe TID: 7600	Thread sleep count: 5811 > 30	Jump to behavior
Source: C:\Users\user\Desktop\server.exe TID: 7600	Thread sleep time: -5811000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\server.exe TID: 7600	Thread sleep count: 2788 > 30	Jump to behavior
Source: C:\Users\user\Desktop\server.exe TID: 7600	Thread sleep time: -2788000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: netsh.exe, 00000001.00000003.1686660010.0000000000992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: server.exe, 00000000.00000002.4102476110.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWcessorArchitec
Source: server.exe, 00000000.00000002.4102476110.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:24:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:08:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:52:38 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:47:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:49:27 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:37:51 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:44:34 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:39:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:31:14 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:29:57 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:13:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:21:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:29:24 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:39:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:21:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:00:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 20:10:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:09:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:32:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:44:10 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:42:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:04:38 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:41:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:54:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:41:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:44:43 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:51:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 12:14:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:40:39 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:26:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:36:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:36:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:18:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:24:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:28:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:16:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:27:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 20:21:37 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:44:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:26:05 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:08:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:39:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:01:38 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:12:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:52:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:15:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:18:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:36:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 19:04:34 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:08:24 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:09:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:37:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 11:38:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:52:47 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:58:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:29:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 10:46:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:54:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:39:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:25:18 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 19:57:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:00:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:15:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:48:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:20:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:47:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:23:10 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:07:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:13:51 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:15:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:47:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:57:21 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:20:34 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:07:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:01:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:05:57 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/09 \| 02:29:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:05:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:55:23 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:07:12 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:53:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:36:12 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:55:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:43:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 16:46:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:11:39 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:49:32 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/09 \| 02:23:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:11:06 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:46:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:04:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:43:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:56:15 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:06:11 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:18:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:04:27 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:27:35 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:28:14 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:10:10 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/08 \| 23:44:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:00:51 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:53:39 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:38:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:48:11 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:20:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:32:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:53:15 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:20:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:30:04 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:18:35 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:26:12 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:26:53 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:24:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:59:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:28:27 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 11:19:53 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:14:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:32:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:16:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:42:03 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/09 \| 02:33:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:43:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:20:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:24:11 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:40:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000394E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:03:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 00:50:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:10:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:17:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:37:37 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:33:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:27:49 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:37:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:35:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:17:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:27:06 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:25:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:59:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:51:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:16:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 16:50:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:49:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:51:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:28:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:40:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:11:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:32:15 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:38:15 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:09:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:45:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:22:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:56:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:57:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:03:17 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 05:59:26 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:40:19 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:48:37 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:44:05 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:47:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:09:16 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/08 \| 21:51:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 19:35:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:52:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:03:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:49:04 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 08:10:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 19:45:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:13:05 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:39:45 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:36:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:02:34 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:11:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:46:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 09:07:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:31:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000394E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:02:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:19:36 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:02:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 12:17:22 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:54:22 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:23:25 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:48:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:37:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:02:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:35:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:45:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:21:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:10:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:11:43 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:57:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:03:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:05:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:47:49 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:43:12 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:01:23 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:05:19 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:55:43 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:01:04 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:26:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:50:36 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:42:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:42:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:58:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 20:18:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:15:36 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:33:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:19:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:05:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:58:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:52:51 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:02:53 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 09:44:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:41:10 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:28:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:58:38 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:41:11 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:36:36 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:42:41 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:35:06 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 08:39:23 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 00:36:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 16:36:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:34:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:43:19 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 11:59:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:26:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:36:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:22:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:34:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:34:37 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:59:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:27:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:50:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:32:24 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:30:36 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 19:38:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:15:27 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:42:12 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:08:05 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:51:21 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:40:57 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:41:36 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:32:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:50:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:52:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:25:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:35:55 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:27:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 20:43:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:25:41 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:02:24 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:23:53 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:17:43 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:52:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:41:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:15:53 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:41:30 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:00:10 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:43:04 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:41:49 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:14:06 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:51:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:30:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:41:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:37:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:01:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:20:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 16:23:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 10:08:35 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:13:04 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:01:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:36:21 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:59:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:53:21 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:00:57 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:30:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:48:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:11:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:10:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:06:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:46:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:13:14 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:06:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:54:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:12:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:35:38 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:52:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:10:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 19:10:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 19:20:04 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:54:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:00:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:45:05 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:56:38 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 12:05:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:24:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:48:34 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:34:14 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 20:04:37 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:16:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:14:35 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 08:53:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:40:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:03:26 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:49:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:28:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:22:39 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:16:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:32:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:11:38 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:28:19 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:44:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:37:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:24:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:23:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:41:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:47:37 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:33:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:22:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:29:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:56:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:04:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:00:14 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:25:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:12:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:09:48 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/06 \| 06:40:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:27:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:51:51 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:31:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:24:49 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:40:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 21:09:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:50:06 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:56:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:42:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 09:12:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:42:02 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:57:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:53:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 21:13:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:08:41 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:04:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:23:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:16:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:52:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:25:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:02:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:09:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:31:06 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/06 \| 06:41:37 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 00:58:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:38:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:17:06 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:50:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:23:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:25:55 - Program Manager
Source: server.exe, Explower.exe2.0.dr, Explower.exe.0.dr, Explower.exe1.0.dr, Explower.exe4.0.dr, Explower.exe3.0.dr, Explower.exe7.0.dr, Explower.exe6.0.dr, Explower.exe0.0.dr, Explower.exe5.0.dr	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 16:11:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:58:26 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:31:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:56:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:20:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:36:55 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:10:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:39:08 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:55:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:48:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:15:24 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 09:33:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:47:02 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/08 \| 15:25:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:01:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:55:06 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:49:19 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:59:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:10:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:26:04 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 17:09:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 20:46:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:30:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:28:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:29:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:49:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:21:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 16:37:49 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:20:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:23:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 11:13:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:41:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:02:33 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:39:15 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:57:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 09:41:56 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:49:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:15:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:53:12 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:08:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:20:39 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:44:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:03:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:34:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:57:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:18:41 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:19:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:16:05 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 21:11:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:11:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:08:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:49:13 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 21:01:35 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:50:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:45:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:03:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:14:23 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:27:43 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:48:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:51:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:00:49 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:00:32 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:56:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:02:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:35:47 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:25:24 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:06:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 20:03:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:17:20 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:54:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:25:59 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 10:52:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:09:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:32:07 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:30:51 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:16:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:49:24 - Program Manager
Source: server.exe, 00000000.00000002.4103150757.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4103150757.000000000375B000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 06:24:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:53:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:24:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:59:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:24:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:42:23 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:08:39 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 12:19:45 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:57:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:18:21 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:21:26 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:25:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:50:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:14:43 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:56:14 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:49:21 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:00:52 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:56:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:06:49 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:46:01 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:48:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:23:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:54:05 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:23:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 10:31:24 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 05:58:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:03:30 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 12:15:12 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:28:17 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:17:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:11:34 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 21:11:48 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 11:47:42 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 07:35:09 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:13:22 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:59:15 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:39:21 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:48:10 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:20:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/13 \| 18:02:58 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:05:28 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:57:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:07:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:30:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:34:54 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:23:00 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 09:09:03 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:26:50 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:14:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:53:29 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:02:26 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:07:15 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:30:57 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 03:23:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 07:02:16 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 08:45:25 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:58:18 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 02:37:31 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 01:04:35 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 09:08:23 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 13:07:46 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 10:28:40 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 06:41:02 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 11:36:44 - Program Manager
Source: server.exe, 00000000.00000002.4104572487.0000000004431000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000000.00000002.4104572487.0000000004E31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/16 \| 04:31:44 - Program Manager

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: server.exe, Fransesco.cs	.Net Code: INS
Source: Explower.exe.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe0.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe1.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe2.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe3.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe4.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe5.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe6.0.dr, Fransesco.cs	.Net Code: INS
Source: Explower.exe7.0.dr, Fransesco.cs	.Net Code: INS

Disables zone checking for all users

Source: C:\Users\user\Desktop\server.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\Desktop\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: server.exe, type: SAMPLE
Source: Yara match	File source: 0.0.server.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	32 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	41 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
server.exe	72%	Virustotal		Browse
server.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
server.exe	100%	Avira	TR/Dropper.Gen
server.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Program Files (x86)\Explower.exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Explower.exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\Documents\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\Favorites\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Windows\SysWOW64\Explower.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.90.22.45	unknown	Germany		12586	ASGHOSTNETDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584742
Start date and time:	2025-01-06 12:39:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	server.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.evad.winEXE@4/20@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 106 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:40:28	API Interceptor	562644x Sleep call for process: server.exe modified
11:39:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASGHOSTNETDE	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	77.90.25.227
	armv5l.elf	Get hash	malicious	Unknown	Browse	5.231.4.240
	mipsel.elf	Get hash	malicious	Unknown	Browse	5.231.4.240
	powerpc.elf	Get hash	malicious	Unknown	Browse	5.231.4.240
	mips.elf	Get hash	malicious	Unknown	Browse	5.231.4.240
	sparc.elf	Get hash	malicious	Unknown	Browse	5.230.251.14
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	5.230.157.188
	armv4l.elf	Get hash	malicious	Unknown	Browse	5.231.4.240
	armv7l.elf	Get hash	malicious	Unknown	Browse	5.230.33.236
	i686.elf	Get hash	malicious	Unknown	Browse	5.230.33.236

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 72%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Program Files (x86)\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 72%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 72%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\app

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	3EB8A6AFA534FADC147AA70DEA76E863
SHA1:	03B827D99098F69C9F126679598F7166C99D1624
SHA-256:	D3D1D98DF443947AB0B52378ACBB5F5C21593677B45F0403B3831C93D8BE7FCA
SHA-512:	B9D20E1F18DD2DC9A71E436E5C27854196F1F8F0ADFBF59AED9D70AB83B88C2C39958720508E87D98F8CB23DCB7BBAA81825406439EDCC07B6D2EE310ACD4327
Malicious:	false
Preview:	.6

C:\Users\user\Documents\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\Documents\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Favorites\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\Favorites\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\SysWOW64\Explower.exe

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.559943444120193
Encrypted:	false
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
MD5:	E4B99200FB42EE229FBB41F2CF56D8F8
SHA1:	EDF6652F563FDC69788FB9C4E8B9499C412095FD
SHA-256:	ADAE7B74DB9B2C08ABCC5F6B0165896726A36EB412E780710E242A97B12554F9
SHA-512:	0A7F68FA37F55242E3D5E8B385A0EEFDF971C5F196E20B34F931D339220E31A224769827129AAB0444CDAD4F7BE78014DC9347749E90A6EC563074ABE130DCB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Windows\SysWOW64\Explower.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\server.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.559943444120193
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	server.exe
File size:	95'232 bytes
MD5:	e4b99200fb42ee229fbb41f2cf56d8f8
SHA1:	edf6652f563fdc69788fb9c4e8b9499c412095fd
SHA256:	adae7b74db9b2c08abcc5f6b0165896726a36eb412e780710e242a97b12554f9
SHA512:	0a7f68fa37f55242e3d5e8b385a0eefdf971c5f196e20b34f931d339220e31a224769827129aab0444cdad4f7be78014dc9347749e90a6ec563074abe130dcb5
SSDEEP:	768:LY3oxnD9O/pBcxYsbae6GIXb9pDX2t9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3usG1:hxxOx6baIa9ROj00ljEwzGi1dDKDJgS
TLSH:	4B93E84977E52524E5BF56F79871F2004E34B48B1602E39D48F219AA1B33AC44F89FEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.{g.................p............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x418efe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677BA226 [Mon Jan 6 09:28:06 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ea8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16f04	0x17000	390eba142aa2c2822d78e03b14cad0fb	False	0.36808975883152173	data	5.591783274337322	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	02466978873e232bef309f048b95192f	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T12:39:59.703675+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.4	49730	77.90.22.45	5552	TCP
2025-01-06T12:39:59.703675+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.4	49730	77.90.22.45	5552	TCP
2025-01-06T12:40:05.918199+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.4	49730	77.90.22.45	5552	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 12:39:59.542787075 CET	49730	5552	192.168.2.4	77.90.22.45
Jan 6, 2025 12:39:59.547713995 CET	5552	49730	77.90.22.45	192.168.2.4
Jan 6, 2025 12:39:59.547804117 CET	49730	5552	192.168.2.4	77.90.22.45
Jan 6, 2025 12:39:59.703675032 CET	49730	5552	192.168.2.4	77.90.22.45
Jan 6, 2025 12:39:59.708580971 CET	5552	49730	77.90.22.45	192.168.2.4
Jan 6, 2025 12:39:59.708652973 CET	49730	5552	192.168.2.4	77.90.22.45
Jan 6, 2025 12:39:59.713480949 CET	5552	49730	77.90.22.45	192.168.2.4
Jan 6, 2025 12:40:05.918199062 CET	49730	5552	192.168.2.4	77.90.22.45
Jan 6, 2025 12:40:05.923172951 CET	5552	49730	77.90.22.45	192.168.2.4

Target ID:	0
Start time:	06:39:53
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\server.exe"
Imagebase:	0xdc0000
File size:	95'232 bytes
MD5 hash:	E4B99200FB42EE229FBB41F2CF56D8F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1656549731.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	06:39:55
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\server.exe" "server.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:39:56
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	88
Total number of Limit Nodes:	4

Executed Functions

Function 05594298 Relevance: 5.7, Strings: 3, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ok, xrefs: 05596AF9
2k, xrefs: 0559541D
@, xrefs: 05594C24

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: @$\Ok$2k
API String ID: 0-1545420168
Opcode ID: 15ca9cbfeaeec576adf14c44b999c2aa963f4f75d73bcd1052efcc92cb50ffa3
Instruction ID: fc028a53c15d26c0d33dd2ae132a08d60d44ad730a7cbde3a542670faf92a3f6
Opcode Fuzzy Hash: 15ca9cbfeaeec576adf14c44b999c2aa963f4f75d73bcd1052efcc92cb50ffa3
Instruction Fuzzy Hash: E0233974A01228CFEB25DF34D995BA9B7B2FB48305F1041E9E909A7394DB399E85CF40

Function 05594269 Relevance: 5.5, Strings: 3, Instructions: 1761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ok, xrefs: 05596AF9
2k, xrefs: 0559541D
, xrefs: 05594BC4

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: $\Ok$2k
API String ID: 0-804809350
Opcode ID: b737b5ae66a0ee6ffdbd4180c1e096e9e26a577ba2450ef70979bbdebeed15a2
Instruction ID: 2352b285f819d2418f84be7dbdad1f53020e295c0cc117fde26626d8e6c7e045
Opcode Fuzzy Hash: b737b5ae66a0ee6ffdbd4180c1e096e9e26a577ba2450ef70979bbdebeed15a2
Instruction Fuzzy Hash: E8135A74A01228CFEB25DF34D995BA9B7B2FB48305F1041EAE909A7394DB395E85CF40

Function 056C24D3 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 056C2553

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b363a2603b7a6a1d18ac6ec728e08f78036f168626359e692e2f1875be72c226
Instruction ID: bc46ae3cfbf7c18296661adb2e914cdaa817f1ab12562eb202e89e822eefd925
Opcode Fuzzy Hash: b363a2603b7a6a1d18ac6ec728e08f78036f168626359e692e2f1875be72c226
Instruction Fuzzy Hash: C321D1765097809FEB228F25DC54B62BFF4EF06310F0885DAED858F663D2709908CB61

Function 056C250A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 056C2553

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 2619d9526b1d57faed296a855ed1337078a5a3f7708dc9530cf62125ebab1c00
Instruction ID: 009c5662341b1436fe82783b3770931cd879448dc50015ac1376f7a82b64bcbf
Opcode Fuzzy Hash: 2619d9526b1d57faed296a855ed1337078a5a3f7708dc9530cf62125ebab1c00
Instruction Fuzzy Hash: 471191766006009FDB20CF15D954B66FBE5EF08210F0884AEDD868B655D375E414CB61

Function 05593802 Relevance: 3.0, Strings: 2, Instructions: 497
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 05593C2E
\Ok, xrefs: 05593885

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: \Ok$2k
API String ID: 0-3697909212
Opcode ID: 849d34d7834dde139f41a41bc7cf950d901f474f24c2bb8ef2edcd1fbc3dc789
Instruction ID: 0ba15f77ce96a0e518edb8c5f9de1d590d6c0b659ea54e05bd843e5cc5b8876d
Opcode Fuzzy Hash: 849d34d7834dde139f41a41bc7cf950d901f474f24c2bb8ef2edcd1fbc3dc789
Instruction Fuzzy Hash: 1F322430A00228CFDB28DF74D955BACB7B2FB49309F1045A9D50AAB394DB799E85CF50

Function 055900B8 Relevance: 2.6, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 055901A8
2k, xrefs: 05590154

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: 2k$2k
API String ID: 0-107389494
Opcode ID: 8fd201b2f3be322b4719a031ca0b201af1a42d05d108cc96c52cba33b751cdac
Instruction ID: 43740fc10cc6d82eaf4ea06ceb22db6bf24b04d57926c2d7c08613ea769f6e27
Opcode Fuzzy Hash: 8fd201b2f3be322b4719a031ca0b201af1a42d05d108cc96c52cba33b751cdac
Instruction Fuzzy Hash: D731F4306053409FD714AB759C16A6E3BA7ABC2658B1485AEE001CF391CF7E8C49C792

Function 05590118 Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2k, xrefs: 055901A8
2k, xrefs: 05590154

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: 2k$2k
API String ID: 0-107389494
Opcode ID: 5c9139e86838973896c452a4f6630f91e93b57825c958e5aaf7ec0f11e38c1b3
Instruction ID: d1c86036c21cb60f25fa8dcef10bd1b7dfbf4a742ff02ef58e73928d687b72a0
Opcode Fuzzy Hash: 5c9139e86838973896c452a4f6630f91e93b57825c958e5aaf7ec0f11e38c1b3
Instruction Fuzzy Hash: 931106346042008FC324A779E816A7936D7ABC2258314857EE002CF345CFBD8C49C7A2

Function 056C1FAA Relevance: 1.6, APIs: 1, Instructions: 129
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 056C20A5

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 820394cca74e5eb62e44e15344222a96c3f42783c730e252bc30459a5e383e91
Instruction ID: d023ccee2017be3c351edd2e359c7ce963436bc570fb37754a52c32eca4c2917
Opcode Fuzzy Hash: 820394cca74e5eb62e44e15344222a96c3f42783c730e252bc30459a5e383e91
Instruction Fuzzy Hash: 2C4180751093806FE7238B258C50FA6BFB8EF06214F0985DBE9C5CB663D224E849CB71

Function 056C0597 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 056C065E

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 35d15ad890168c72588eeddc6f1de14eabc68b22d997aa7bc1a87b963269e1f4
Instruction ID: 1197876d0c25cbe9273613c40ee509cd21cf9e1857d0e28834b2af04e8176417
Opcode Fuzzy Hash: 35d15ad890168c72588eeddc6f1de14eabc68b22d997aa7bc1a87b963269e1f4
Instruction Fuzzy Hash: B0316D7510E7C0AFD3138B258C65A61BFB4EF47610B0E45CBD8C48F6A3D6296909D7B2

Function 016DB1E6 Relevance: 1.6, APIs: 1, Instructions: 97
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 016DB291

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: acfcd9977a63cb240632448be3a9193392797acdd61e26b168a68d819e5ee107
Instruction ID: 9aefa647e3e701711db2951cf9d5916addb56ccf6ea391825c9fdd9cbefca3d4
Opcode Fuzzy Hash: acfcd9977a63cb240632448be3a9193392797acdd61e26b168a68d819e5ee107
Instruction Fuzzy Hash: 3831A4725083806FE7228B65DC45FAABFBCEF06210F08859BE984CB653D324E909C771

Function 016DAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 016DAB25

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2f44e294d2213e3741679fd6a9ae1a0bf094f1889c10e02ad579591fe6988bb0
Instruction ID: c015396fbd4b07d2005d89fe1d373c7c3dd1ab5603c49125586b72f0f508e0e8
Opcode Fuzzy Hash: 2f44e294d2213e3741679fd6a9ae1a0bf094f1889c10e02ad579591fe6988bb0
Instruction Fuzzy Hash: D531A071508340AFE722CF65DD84F56BFF8EF05210F08899AE9858B652D375E909CB61

Function 056C122C Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C12C9

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: d75b23c5b546f1a4849f2ee3942eb0e2aa8154dace15be88e286cfec83c5416c
Instruction ID: 6d44a74a791e9c3485730fb635b8613b6f5fcf8112fa9eb97da279c49b32bcdc
Opcode Fuzzy Hash: d75b23c5b546f1a4849f2ee3942eb0e2aa8154dace15be88e286cfec83c5416c
Instruction Fuzzy Hash: B031F4725087806FE7228F54DD45FA6BFB8EF06214F0889DAE9858F193D234A909CB71

Function 056C0B28 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 056C0BBF

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 57e7737232dd573a616c04d11690d1cfc443478ef43b5055fcff7891f8442fb3
Instruction ID: cb4223038b482c9ca4ce3bab1fa1cb6acb3c872481a0810b43c087a375ae8a18
Opcode Fuzzy Hash: 57e7737232dd573a616c04d11690d1cfc443478ef43b5055fcff7891f8442fb3
Instruction Fuzzy Hash: 03318071604344AFE7218B64DC45FAABFF8EF05220F0884AAE945DB652D334E948CB61

Function 016DB2D9 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DB394

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ce54b4162e5006236301f77735af019ce652c31da1dde2e88c687584d6e898d1
Instruction ID: d9acff597d402a52f61deb576ed8f9bb2352a5d2a2c0fc36f9e578aae3f54121
Opcode Fuzzy Hash: ce54b4162e5006236301f77735af019ce652c31da1dde2e88c687584d6e898d1
Instruction Fuzzy Hash: 3C31E4715083806FE722CB65CC44FA2BFFCEF06210F09889AE985CB253D360E908CB61

Function 016DB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 016DB0DD

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1e9423355f7e321aea8f91a472df7bfa3ea0573343dcce92a15100f81b7e09d3
Instruction ID: 0153ef4c811ecde7fba51031d353f2aaf9615d7b1191bc378e734ce990a15bb4
Opcode Fuzzy Hash: 1e9423355f7e321aea8f91a472df7bfa3ea0573343dcce92a15100f81b7e09d3
Instruction Fuzzy Hash: 933193715097806FE722CB25DD85B96BFF8EF06210F09849AE984CF293D375A909C772

Function 056C200A Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 056C20A5

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1c0f33a311c1210e7bdcfc8921eed76946768250f26554ca6d4fea7ce0415e0f
Instruction ID: ef9aff33a0b8c7ca5ddeb913edf2d60aee4da7e010f98cb9acccf72836a51047
Opcode Fuzzy Hash: 1c0f33a311c1210e7bdcfc8921eed76946768250f26554ca6d4fea7ce0415e0f
Instruction Fuzzy Hash: 59219E76600704AFEB31DE15DC44FABFBECEF08614F04896AED86C6A51D730E948CA61

Function 016DA6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 016DA77E

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 46e9a5fe71623aa6cef1dd16599d7f2c7e95480744be235d2430d4a39921ef73
Instruction ID: e52ead1efc3f1620adb0cf37705ffc4985c1856111ac40ab0443144329ae0d94
Opcode Fuzzy Hash: 46e9a5fe71623aa6cef1dd16599d7f2c7e95480744be235d2430d4a39921ef73
Instruction Fuzzy Hash: E1317E7514D3C06FD3138B259C61B62BFB4EF47610F0A41DBE884CB6A3D2296919D7B2

Function 016DB4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 016DB571

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 8a5c238db479f03e372dfa7c234a8e2491db039b8a6d67359ded27ec4aa6e5e1
Instruction ID: 224e367b03d5ed39b6071c252b4a6ed4a16e54a84145180e6e6fc66e0fad8399
Opcode Fuzzy Hash: 8a5c238db479f03e372dfa7c234a8e2491db039b8a6d67359ded27ec4aa6e5e1
Instruction Fuzzy Hash: E321E471504740AFEB228F55DC44FA6FFB8EF46310F08899AE9848F662D375A508CB61

Function 056C227D Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 056C230C

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: fbf6fd7d890a06b8e91bb12db4e86c7e499c2863e47569d93157f01ec3812374
Instruction ID: a20f394223d2964875f0135c837379521a4339a0ff45eaa4dd27732ca117884b
Opcode Fuzzy Hash: fbf6fd7d890a06b8e91bb12db4e86c7e499c2863e47569d93157f01ec3812374
Instruction Fuzzy Hash: CB219E755087849FD722CF24DC54A62BFF8EF0A210F0888DAED85CB662D234E909DB61

Function 056C2655 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C26DC

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 6184f754c99baacbe048157b4827d89dd11990223057f41df531213ba24f6fc1
Instruction ID: 166ce8c39bd50869274ad8e5c8416bc49f0b20bc6912d176158bde0e822cad41
Opcode Fuzzy Hash: 6184f754c99baacbe048157b4827d89dd11990223057f41df531213ba24f6fc1
Instruction Fuzzy Hash: A02192755093806FE7128B14DC55FA6BFA8EF46214F0884EAE984DF692D264A908C771

Function 016DAE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DAF0D

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e6314759fcaed367022ecd1161b1a1165c96c532252254261fb2671ee4d0e678
Instruction ID: dd8a901d3aaae0a7494550bb8cae994e1eb4ec573fc82059d6f99c895830dc1c
Opcode Fuzzy Hash: e6314759fcaed367022ecd1161b1a1165c96c532252254261fb2671ee4d0e678
Instruction Fuzzy Hash: 2421B4B2509380AFE722CB55DD44F56BFB8EF05314F0885DAE9849F153D274A508CB61

Function 056C0CDE Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 056C0D72

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 42369fc82fd1cc5df75eb9d9dbe1e47f918346618c8fc3cf285c1881f1003ece
Instruction ID: 0a606cecff023b80a632da201e34e891f5374a7bd9da386ee7394a910951c4d3
Opcode Fuzzy Hash: 42369fc82fd1cc5df75eb9d9dbe1e47f918346618c8fc3cf285c1881f1003ece
Instruction Fuzzy Hash: 0521B171404340AFE722CB19DD48FA6FFF8EF09224F04899EE9858B652D375B508CB61

Function 056C068A Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 056C0716

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: f925b190b55acdf5d73f2d80779102ffaff3ee9773491af5b99258eadcd275cf
Instruction ID: 035b1fb250bb5db98dfc8ec051d89516569a82dc69be6ffb659df6cb9afa6581
Opcode Fuzzy Hash: f925b190b55acdf5d73f2d80779102ffaff3ee9773491af5b99258eadcd275cf
Instruction Fuzzy Hash: 3421D071504380AFE721CF55DD48FA6FFB8EF09220F08899EE9858B652C375A508CB61

Function 016DB3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DB480

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 77a62ec8f869bb09f0f81033b1ce804dbbcea4f8a2f19989e8a7d4388c63814f
Instruction ID: 9407ed148a3df064d56c3882876ed5e564aff3f3dd8f1ade54fc38befd8ae228
Opcode Fuzzy Hash: 77a62ec8f869bb09f0f81033b1ce804dbbcea4f8a2f19989e8a7d4388c63814f
Instruction Fuzzy Hash: 5E21B0725057806FE722CF15DC44FA7BFBCEF46220F08859AE9858B256D364E908CBB1

Function 056C0B4E Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 056C0BBF

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 09ca41bc7c604d9d69d6bd680189eead38ed7d426ec12f2b6270218527c4ce14
Instruction ID: b17fd131e34974e73d5bb103c41c7459d6b544a4fceb6d40fb74f6ac0968dc56
Opcode Fuzzy Hash: 09ca41bc7c604d9d69d6bd680189eead38ed7d426ec12f2b6270218527c4ce14
Instruction Fuzzy Hash: EB218371600204AFEB20DA29DD45F6ABBECEF04224F04886AE945DB651D775E548CA61

Function 056C0A36 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C0AD4

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: baefc5b835694841739e69d60e1d6575cf434d65891749d0d58820722150defd
Instruction ID: d0fc6dfd01d8220402fb82b4cd870d2f8c24284c959662e65cf607410e6c3b5b
Opcode Fuzzy Hash: baefc5b835694841739e69d60e1d6575cf434d65891749d0d58820722150defd
Instruction Fuzzy Hash: F621D372508780AFE722CB55DD48F67BFF8EF05310F08859AE9458B692D324E908CB61

Function 016DAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 016DAB25

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 056391776d00c9679042914c9a17bc11df9c16fce4e0cfa7fecf040869a7fb47
Instruction ID: 0c6b5f47068af279293a85e01a997f4ac40bd9afc392d7f0c41440b63defebe2
Opcode Fuzzy Hash: 056391776d00c9679042914c9a17bc11df9c16fce4e0cfa7fecf040869a7fb47
Instruction Fuzzy Hash: 6821B271A04700AFE721CF69DD45F66FBE8EF08210F048969EA458B752D375E509CB71

Function 016DB212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 016DB291

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b55635031876157dba2c035a04228703a1a955465bae2e1de4949eecaf068003
Instruction ID: fa9942ed214981ffcd92425fc7d5cf0cd799b9bccc68baa8dc5051d72d3b59b0
Opcode Fuzzy Hash: b55635031876157dba2c035a04228703a1a955465bae2e1de4949eecaf068003
Instruction Fuzzy Hash: 3121D472900304AEE7319F59DC44FABFBFCEF19214F04896AEA458B745D734E5088AB1

Function 056C2823 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C289F

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 541c3383d8f8f9df07ef9d52ff662e343f73c9ff05881f7d816cb4df65f83bde
Instruction ID: d86325df2161823c6fc3e634c2d9685a728593ea2edef8fb10a20455313dfbce
Opcode Fuzzy Hash: 541c3383d8f8f9df07ef9d52ff662e343f73c9ff05881f7d816cb4df65f83bde
Instruction Fuzzy Hash: 6921D7755053806FE722CB15DC54FA6BFB8EF45210F0889ABE944DB652D374A908CBB1

Function 056C273F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C27BB

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 541c3383d8f8f9df07ef9d52ff662e343f73c9ff05881f7d816cb4df65f83bde
Instruction ID: 6543dc46e74b950f72a6f370e7112f556bf8a6294be2c4dc3ccb796ce2aa20f4
Opcode Fuzzy Hash: 541c3383d8f8f9df07ef9d52ff662e343f73c9ff05881f7d816cb4df65f83bde
Instruction Fuzzy Hash: AB21D7715053806FE722CB15DC54FA7BFB8EF45210F0889AAE944CB652D374A908CB71

Function 016DA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 016DAA44

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: aeecdb993c10cb0717732e0dd93f566a3cee20ef60e39295a0cb7aa1a1fd591e
Instruction ID: 6e158c65e4f5b9ddc01d1f648128e52849708d25fdfeb69cdb931566ab7e6e86
Opcode Fuzzy Hash: aeecdb993c10cb0717732e0dd93f566a3cee20ef60e39295a0cb7aa1a1fd591e
Instruction Fuzzy Hash: C621897540E7C09FD7138B259C64A51BFB4EF17620F0E81DBD8848F6A3C2689808CB72

Function 016DAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DACBD

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8bb1380323449e24b91321df922cce407008db63ec4661e397feb067e43ec7a8
Instruction ID: a9b71791f4540a74b1eb32c9c0763df4c9c0726ec0319637e40f9b91d4f1c0e2
Opcode Fuzzy Hash: 8bb1380323449e24b91321df922cce407008db63ec4661e397feb067e43ec7a8
Instruction Fuzzy Hash: C12105B54087806FE7228B55DC44BA6BFBCDF46324F0885DAE9848F293C364A909C771

Function 016DB06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 016DB0DD

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 63c2b70cf59327cc78d036402f5ceae19cb769bc5229140eeaf938270b39cadc
Instruction ID: 6a48e98c5a4b175c9b67184ff8ee6c28a824fb59032ec25e4ae87aec9b418a1c
Opcode Fuzzy Hash: 63c2b70cf59327cc78d036402f5ceae19cb769bc5229140eeaf938270b39cadc
Instruction Fuzzy Hash: 552192716002009FF720DF29DD85BA6FBE8EF09214F048869ED458B746D775E509CBB2

Function 016DA140 Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 016DA1C1

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 0a06291f8a84f5c6365d947800ca26c727bdcdf14fe53c61d96e2bea7cfa2d4a
Instruction ID: 0ddb5f42de1f6d115601b4b2e39de262de1211d44d55aa37dd843912bd94ee03
Opcode Fuzzy Hash: 0a06291f8a84f5c6365d947800ca26c727bdcdf14fe53c61d96e2bea7cfa2d4a
Instruction Fuzzy Hash: DB21B07250D7C09FD7238B21DC54A52BFB4EF07210F0989DBD9858F5A3D279A909CB62

Function 056C21B7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C2233

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: cd1d8980cbafd003a4bf299a707e3a17a05d549d28c7ba67c98f12ebca8c709d
Instruction ID: 7cc3cb19bf14372eb36fe4570a1973d88d3e7787d6cdf7272463301fc94a8817
Opcode Fuzzy Hash: cd1d8980cbafd003a4bf299a707e3a17a05d549d28c7ba67c98f12ebca8c709d
Instruction Fuzzy Hash: 8921C3715093806FEB22CF54DC44FA6FFB8EF45210F0889AAE9859F652C374A908C7B1

Function 016DB7B5 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 016DB82A

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4f54014a051a7540a2ec1defd19f8044738efa08cef8c4cf905e4ed40698c8a7
Instruction ID: 8f8ee13921aed81f963da8d18354b99a1a83140a52c0d58863c41322cf07ae78
Opcode Fuzzy Hash: 4f54014a051a7540a2ec1defd19f8044738efa08cef8c4cf905e4ed40698c8a7
Instruction Fuzzy Hash: D42181716093805FEB228F29DC55B52BFF8EF06610F0984DAED85DB252D225E804CB61

Function 016DB31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DB394

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9acf85f574661e8fa894dff3beab4be1b9749e5be01512dadc893a76ea5c986f
Instruction ID: aa9f650f6c28301086af927bfcc4854f0b9b380193b7093a4c9e1321ed86041a
Opcode Fuzzy Hash: 9acf85f574661e8fa894dff3beab4be1b9749e5be01512dadc893a76ea5c986f
Instruction Fuzzy Hash: 81219D76A00700AEE721CE59DC44FA6BBECEF05610F09856AED458B755DB70E908CAB1

Function 056C1407 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 056C1486

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 26dc931036a28539eb15fb5bc4889bb3ff73beeea2fc83aec2368703136bb6ee
Instruction ID: 77aa586aaa84a333a4b5d9bf98abaaef2a742f731b87ea439a18313b10242c3c
Opcode Fuzzy Hash: 26dc931036a28539eb15fb5bc4889bb3ff73beeea2fc83aec2368703136bb6ee
Instruction Fuzzy Hash: 1A21B3711097809FDB228F60DC44A66BFF4EF06310F0985DAE9858F663D379A909DB61

Function 056C0CFE Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 056C0D72

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 0e0714bbfd3920740e58dd06ed2e6da384a2a2eaffca5252b34e731d592e0b0f
Instruction ID: 1c425f876710d843097b31d0d0bbeb86f8eeb3cf7de1a1bf078712d714f4acde
Opcode Fuzzy Hash: 0e0714bbfd3920740e58dd06ed2e6da384a2a2eaffca5252b34e731d592e0b0f
Instruction Fuzzy Hash: AF219F71500204AFE721CF19DD49FAAFBE8EF08224F0489ADE9458A651D375B548CBA1

Function 056C06AA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 056C0716

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 0682968836bcc361dba87713e618170f057f2554f7877de12a281d09dcfdb832
Instruction ID: 73e72a7b86945daa5747ee1d873ee837280a1279097c621fb9ae0c82f7c67e48
Opcode Fuzzy Hash: 0682968836bcc361dba87713e618170f057f2554f7877de12a281d09dcfdb832
Instruction Fuzzy Hash: BB21C271500200AFEB21DF59DD49FAAFBE8EF08220F0489ADE9458A651C375A508CBB1

Function 056C16C6 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 056C174F

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 282eea78483170635c41bf4070d232d0391a8b62f455fdc0629cce8d38fe136c
Instruction ID: 0b60b92b2bd93a9c989456e3c8086a16344d612e0a2688b7ad88cf8c3a8cce06
Opcode Fuzzy Hash: 282eea78483170635c41bf4070d232d0391a8b62f455fdc0629cce8d38fe136c
Instruction Fuzzy Hash: 1611E1711043406FE721CB15DC85FA6FFB8EF06320F08859AF9449B692C278A948CBA2

Function 016DB4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 016DB571

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: db040bec374f31727e062dcfed683895800481a4b97d024a3e9750333045d284
Instruction ID: 16c894342d5bfe7ac2e856a5eda0387e44d12dece1823f0f7af4a4c445905837
Opcode Fuzzy Hash: db040bec374f31727e062dcfed683895800481a4b97d024a3e9750333045d284
Instruction Fuzzy Hash: D8212172500700AFEB318F14DD40FA6FBB8EF08310F04896AEE858A695C375E508CBB1

Function 056C0A62 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C0AD4

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a0fe2f5e2c50bddbd4cacd3efd7d4e223dd09e464a8595841bbcb25912de9643
Instruction ID: 68ef3f0b8b165225d8f9814750451a61a7fae9cb467f9d319ef77399521c845e
Opcode Fuzzy Hash: a0fe2f5e2c50bddbd4cacd3efd7d4e223dd09e464a8595841bbcb25912de9643
Instruction Fuzzy Hash: EF110272504700AFE730CF55CD48FAAFBE8EF04324F0885AAE9428A742C731E508CAB1

Function 016DB40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DB480

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 283f6a8f1c05ee33ed544a5afaa8332567a146dd2d3d2ba1d6db88158a59ecb4
Instruction ID: d7468f00f476585e7889129992b380e1524762350ece3736f113af086b01b5db
Opcode Fuzzy Hash: 283f6a8f1c05ee33ed544a5afaa8332567a146dd2d3d2ba1d6db88158a59ecb4
Instruction Fuzzy Hash: 4C11E476A00700AFE731CE09DC44FA6FBECEF04214F04856AEE418A746D374E8088AB1

Function 056C126A Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C12C9

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 55cb7750561127922967d0a5203135e6df3fa8303b54edfda8a593eed1fea60b
Instruction ID: 1fb299f04d97f0ccc947786b1e5cfbd7eef6a2b2a488d353ddd1fcea0eb3592d
Opcode Fuzzy Hash: 55cb7750561127922967d0a5203135e6df3fa8303b54edfda8a593eed1fea60b
Instruction Fuzzy Hash: 3911B472600600AFE7318F55DD44FAABBE8EF05214F04896AE9458A651D375E548CBB1

Function 056C2762 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C27BB

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 849a3c4f8c1f552369b47d6b5ddc5855a6f4e1489ebac756628c4e5caf3b43e4
Instruction ID: e9443e5373410c311858834f7406c0d301872530f0dd7cc2dbd0a8998fe8acbe
Opcode Fuzzy Hash: 849a3c4f8c1f552369b47d6b5ddc5855a6f4e1489ebac756628c4e5caf3b43e4
Instruction Fuzzy Hash: B51108756003009FE721CF18DD84FBAFBA8EF04314F0488AAED45CB641D774A908CAB1

Function 056C2846 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C289F

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 849a3c4f8c1f552369b47d6b5ddc5855a6f4e1489ebac756628c4e5caf3b43e4
Instruction ID: d5ebe1a4f2c6f2a96fc04c92bdbf3cf85ade1583b3d8570a9297997bf00f1e6b
Opcode Fuzzy Hash: 849a3c4f8c1f552369b47d6b5ddc5855a6f4e1489ebac756628c4e5caf3b43e4
Instruction Fuzzy Hash: E3110475600300AFEB21CF18DD44FBAFBA8EF04720F0489AAED45CB641D374A908CAB1

Function 056C2686 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C26DC

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 58a25219b0210f77a4ba0b1c189f991114debfa10e795a3dde2e9848208b0590
Instruction ID: d3b5b30294db7e3e062164d76eab6ba148e0dc7e57b8d94af24e23f3574cfa08
Opcode Fuzzy Hash: 58a25219b0210f77a4ba0b1c189f991114debfa10e795a3dde2e9848208b0590
Instruction Fuzzy Hash: 7A11EB756003049FE721CB19DD45BBABB98EF04224F1484AAED45CB741D7749944CAB1

Function 016DA573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DA5DE

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 76c7012636e15995625ecf4bc77ab7a42a0edf18ded14d44aec10cae2abfd743
Instruction ID: eac6c12d2b4b6963633c01d98ad8c7b7a23413eb80b0dfc143fd6f7545304c59
Opcode Fuzzy Hash: 76c7012636e15995625ecf4bc77ab7a42a0edf18ded14d44aec10cae2abfd743
Instruction Fuzzy Hash: 0611B471408780AFDB228F54DC44A62FFF8EF4A310F0889DAED858B663C335A518DB61

Function 016DAEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DAF0D

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3f17e35a418e49b3d38583e177bef83f4d57315be3759469bc2967d18e26d003
Instruction ID: 9ea248e7ee8a1e9da97327b199e6f421f680fb3654d1da9094069847da705c8a
Opcode Fuzzy Hash: 3f17e35a418e49b3d38583e177bef83f4d57315be3759469bc2967d18e26d003
Instruction Fuzzy Hash: 4511B671504700AFE7318F59DD44FA6FBE8EF04314F0489AAED459B655C375E5088BB1

Function 016DB885 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 016DB8E4

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e813d960454c38bebc406314a083ac6a340177ec99a722282e7319c9510c5b79
Instruction ID: 1878d7b63ce2da673cfdadbe0d1c764997cfa8e9133c1bcf2a1916a4051ac644
Opcode Fuzzy Hash: e813d960454c38bebc406314a083ac6a340177ec99a722282e7319c9510c5b79
Instruction Fuzzy Hash: 5411B6719097805FD711CB25DC45B56BFE8EF46220F0984EAED85CF257D234E948CB61

Function 056C21DA Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 056C2233

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d26ac4b22672dbd748befd67638e623952c18e311a6b90670833273587d2ff83
Instruction ID: ea14940b2a077b4e995358631435bb5cf049759104538dd48d75aa4b26bd9f8e
Opcode Fuzzy Hash: d26ac4b22672dbd748befd67638e623952c18e311a6b90670833273587d2ff83
Instruction Fuzzy Hash: 8411E775500300AFEB31CF54DD44FB6FBA8EF44724F0489AAED459B645C379A508CAB1

Function 056C16E6 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 056C174F

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cf31b4870bc4b68bc83e176020ed624e8da080f5733b5dacbb8fad310f0c6892
Instruction ID: bfe4cc6062c74894ab4bd58dc4208207906b83e7434bc096d8b10bb2d059d653
Opcode Fuzzy Hash: cf31b4870bc4b68bc83e176020ed624e8da080f5733b5dacbb8fad310f0c6892
Instruction Fuzzy Hash: 53112931100300AFF730CB19DD85FB6FBA8DF09720F1485AAED054A781C375A948CAB5

Function 056C22B6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 056C230C

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 3654133c1e66779ffa33dd5e087a46b4b7283e349c0a442d0c03ff9c8ebbe300
Instruction ID: cb07a7b3f7066961833f049c81eabb043dde11631157551ad73db7569b881d31
Opcode Fuzzy Hash: 3654133c1e66779ffa33dd5e087a46b4b7283e349c0a442d0c03ff9c8ebbe300
Instruction Fuzzy Hash: 0A1160756046048FD720CF15D884F66FBE8EF08610F0885AADD8ACB755D335E544CB71

Function 016DB7E2 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 016DB82A

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 0e74fd793193f12e13eaa8ecfdfe1feb493f29f6f2925ce5883fcffdbd66c755
Instruction ID: 670e5e3b1055069931b10660bb4f47b7b034e0e8c25e098347b59eb33a7b9a3a
Opcode Fuzzy Hash: 0e74fd793193f12e13eaa8ecfdfe1feb493f29f6f2925ce5883fcffdbd66c755
Instruction Fuzzy Hash: C5118271A006008FEB20CF19DC85B56FBE8EF05610F09C4AADD45CB756D775D404CAA1

Function 016DAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,70E21FBB,00000000,00000000,00000000,00000000), ref: 016DACBD

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9da019d5438edbb268878f0f048d3de995d809fd557376e2ff92fedbeb3f750e
Instruction ID: 94cea4b4f6a4773733c7647698202646c5e62e1fb130347c393902e7d3863e53
Opcode Fuzzy Hash: 9da019d5438edbb268878f0f048d3de995d809fd557376e2ff92fedbeb3f750e
Instruction Fuzzy Hash: 77012671504300AFE721CB49DD85BA6F7A8DF04224F04C5A6EE058B741C374E9488AB1

Function 056C143A Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 056C1486

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: f716177271fb36693a26e6e514779b342e9972c3122ebb1101d18ca08dcc02d1
Instruction ID: 315dba5fffe843b77c03420fca66c554e54275ed34dc046d56423a661beaf855
Opcode Fuzzy Hash: f716177271fb36693a26e6e514779b342e9972c3122ebb1101d18ca08dcc02d1
Instruction Fuzzy Hash: FB1170315006049FEB20CF55D944B66FBE5FF09210F08CAEADD868B612D335E558DBA1

Function 016DB8AA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 016DB8E4

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d852d50cbd5158e0aa5a96434d50a92d666126aabfb235662b882eeb9abc3e87
Instruction ID: a3e9745fc72d158ef2408f68d88aa5ae00c98e8ef8f02a9dd25cbb9e1395322a
Opcode Fuzzy Hash: d852d50cbd5158e0aa5a96434d50a92d666126aabfb235662b882eeb9abc3e87
Instruction Fuzzy Hash: 49018071A006448FEB20CF29DD85766BBE8DF46220F0884AADD45CF746D379D544CAA1

Function 016DA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DA5DE

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2bcee8e536fef6d4aa43ce2429bdb9e4392a5bcd529bb9f2fdd955477e648b1b
Instruction ID: 9c16f26c03da52860e76473dca1d0a8a1f38d3d1d8b4ebf4a6209f93970ad4c6
Opcode Fuzzy Hash: 2bcee8e536fef6d4aa43ce2429bdb9e4392a5bcd529bb9f2fdd955477e648b1b
Instruction Fuzzy Hash: 8D018E329046409FDB218F95DD44B66FBE0EF48210F0889AADE464B612C336A414DF62

Function 056C060E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 056C065E

Memory Dump Source

Source File: 00000000.00000002.4110079619.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56c0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 32239ea9d4b8ead73c9d9761f128369b4e8d6910f859c06867f2ae940c437c24
Instruction ID: d678ddc19218d7aa1fa6e0f42f51c903313f9c3b4481a892fb51d860c80205ab
Opcode Fuzzy Hash: 32239ea9d4b8ead73c9d9761f128369b4e8d6910f859c06867f2ae940c437c24
Instruction Fuzzy Hash: 6101A7716006016BD250DF1ADD45F66FBF4FB88A20F148159DC085B741D771F515CBE5

Function 016DA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 016DA77E

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b14e249200b62c4608f59d667373a684f1fc4a0344be2582f3e2dd0a5e624bef
Instruction ID: 103d021aee3a3bef2afb5da1fa81f83571949ab4e0daee3f341e536add0b7e52
Opcode Fuzzy Hash: b14e249200b62c4608f59d667373a684f1fc4a0344be2582f3e2dd0a5e624bef
Instruction Fuzzy Hash: F401A7716006016BD250DF1ADD45F66FBF4FB88A20F148159DC085B741D731F515CBE5

Function 016DA186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 016DA1C1

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b4e9bf2c5b2e4407d857f0724e53afbaf66e6119c727208b8b72a0e2b4033bf6
Instruction ID: 9ac37a7df2b04fe61c5db41264556be384a8d9f29528946f1dd5923c564b33d3
Opcode Fuzzy Hash: b4e9bf2c5b2e4407d857f0724e53afbaf66e6119c727208b8b72a0e2b4033bf6
Instruction Fuzzy Hash: 0F01B5329046409FDB20CF59DD44B56FBE4EF48321F08C9AADD454B712C375A548CBA1

Function 05597190 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

2k, xrefs: 05597498

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: 1e3ff8f52a04740ce3b21b95cd672523cfd785d7ed2fdf38331d0d178eaaf9ec
Instruction ID: 9491884da57dcc5ddb7acbcd3bea81aae727203ccba4bef0f6b3686ee8e41467
Opcode Fuzzy Hash: 1e3ff8f52a04740ce3b21b95cd672523cfd785d7ed2fdf38331d0d178eaaf9ec
Instruction Fuzzy Hash: 39A1BF307242118BEF28DB38D84576937A2FB8A755F244679E8229B3D0EB3DDD45CB90

Function 016DAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 016DAA44

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c43eb8995d16d5b3e3040b18cbfb3ca936ce0c15316e4ddc1fffc5315abbaf7e
Instruction ID: 25af1d4f95a44e0dd305e0af3d029d95ffb0b16c0fc11d72f67d8b33db390d84
Opcode Fuzzy Hash: c43eb8995d16d5b3e3040b18cbfb3ca936ce0c15316e4ddc1fffc5315abbaf7e
Instruction Fuzzy Hash: 92F0F4319046408FDB208F49DE88765FBE0DF04220F0CC5AADD450B752C379A948CEA2

Function 055939BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

2k, xrefs: 05593C2E

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: 8feabe5b063aed94912c7992162f1b5525ec825ed0f282cd7b37899dac53486a
Instruction ID: b6368f4ab1162e971fc07de4392217a8db52e9827911cf61251d411687916efb
Opcode Fuzzy Hash: 8feabe5b063aed94912c7992162f1b5525ec825ed0f282cd7b37899dac53486a
Instruction Fuzzy Hash: B6813730A00218CFDB28DFB4C955BADB7B2FF85309F1045AAE10AAB294DB795D85CF51

Function 05593B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

2k, xrefs: 05593C2E

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID: 2k
API String ID: 0-1599061190
Opcode ID: f7627adb6583585f177d417df809de655e9472d3b574253e336ca798cdfcd943
Instruction ID: 5c53707d90454894d0c624821de3d197b6c29cb2ce6dc6877d0f9b5f04601564
Opcode Fuzzy Hash: f7627adb6583585f177d417df809de655e9472d3b574253e336ca798cdfcd943
Instruction Fuzzy Hash: 6B413934A00218CFDB28DBB5C955BECB7F2BF85309F5045A9D00AAB294DB794E85CF51

Function 016DAB7C Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 016DABF0

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d9e7155514662d07354713b2f27c7cfd7a41c9e431fbe1bd065c50998c7274f0
Instruction ID: b8fa749c8dcd24fbdaecf7a30b111566c2bb96ab4eff64c814bcf13253ed589b
Opcode Fuzzy Hash: d9e7155514662d07354713b2f27c7cfd7a41c9e431fbe1bd065c50998c7274f0
Instruction Fuzzy Hash: 4421F3719097809FD7128F29ED95752BFB8EF06220F0985DAED858F2A3D2349908CB61

Function 016DA61E Relevance: 1.3, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 016DA690

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 193245239c5a9fb0b3206371bd5ce9ef90722b97d291806c2364d065074e8a6d
Instruction ID: d1395c6a6237facc29945f90209250d15d556e62a1ad5a5dd29549dcd00eae61
Opcode Fuzzy Hash: 193245239c5a9fb0b3206371bd5ce9ef90722b97d291806c2364d065074e8a6d
Instruction Fuzzy Hash: 1521387150D3C09FDB128B259D94A52BFB4DF47220F0984DADD849F2A3D2699908CBB2

Function 016DABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 016DABF0

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 167519f3adfe75f8658f5ee689cd761ecb1cacbdc5d111da9143ee260b1b1235
Instruction ID: c53334746e982503bc63749bba4d985673c3a14c949029af702ccacd003a9164
Opcode Fuzzy Hash: 167519f3adfe75f8658f5ee689cd761ecb1cacbdc5d111da9143ee260b1b1235
Instruction Fuzzy Hash: 6A018471A086448FEB208F59ED85765FBE4DF04220F08C8AADD458F756D379D544CAA1

Function 016DA65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 016DA690

Memory Dump Source

Source File: 00000000.00000002.4102729661.00000000016DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16da000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0e7c62978d6b2146a5d7a3098f176e767a047f2e4ea66a3998f21ab52cd97649
Instruction ID: 6986fa46c76419ebeb5ce97b4c149b7dbe8e6173f40dbd194dc5f8c8b745eb97
Opcode Fuzzy Hash: 0e7c62978d6b2146a5d7a3098f176e767a047f2e4ea66a3998f21ab52cd97649
Instruction Fuzzy Hash: 1D01D671904240CFEB20CF59DD88765FBE4DF44220F08C8AADD498F756D379A544CEA2

Function 055975C9 Relevance: 1.2, Instructions: 1242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85ec89b6efbe74b9f1a13bb0d775cf1bfdccaacc27226b2491339ddb7ee6428
Instruction ID: 16fe6402c4e80f1ae54c0657a29495ca46c219c959257af1183b79aacd42b1ff
Opcode Fuzzy Hash: b85ec89b6efbe74b9f1a13bb0d775cf1bfdccaacc27226b2491339ddb7ee6428
Instruction Fuzzy Hash: 26C27E34700265CBEF258B28D9107B97BB6FB4DB15F0044AB984997B80DB3C9DA5DFA0

Function 05597644 Relevance: 1.1, Instructions: 1079COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e816c2167fefc072af408f4bb6646405e70b4eefe7428a55ee72286c7d3da346
Instruction ID: 4e2dd024b90568499ac9d41504102777fd5efb4254cea2a51ef605b3cced85c5
Opcode Fuzzy Hash: e816c2167fefc072af408f4bb6646405e70b4eefe7428a55ee72286c7d3da346
Instruction Fuzzy Hash: F692B5347002649BEF258B28D9107B937B7FB4EB15F0444AB948997B84CB3C9DA5EF90

Function 0559767E Relevance: 1.1, Instructions: 1076COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43e113a368d9c6c9b7d514d3b84b9295957db257646b3e4153f4f16fca260b0
Instruction ID: 6ef9203878ec9a64a80be2eaa869c3e5cc7e59258a0674ac601edc6f19d5b405
Opcode Fuzzy Hash: e43e113a368d9c6c9b7d514d3b84b9295957db257646b3e4153f4f16fca260b0
Instruction Fuzzy Hash: A392C5347002649BEF258B28D9107B937B7FB4EB15F0444AB948997B84CB3C9DA5EF90

Function 055976AD Relevance: 1.1, Instructions: 1075COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0e2ea1912d0ff19d2d5fcdb649f60154e76b196bb07fb8e626dfa35355f058
Instruction ID: 639de2f9121aa3eb11dd2e522a7787bf14a9b1fb7850298cd94eac20ca6a5aa5
Opcode Fuzzy Hash: 9f0e2ea1912d0ff19d2d5fcdb649f60154e76b196bb07fb8e626dfa35355f058
Instruction Fuzzy Hash: 7A92B5347002649BEF258B28D9107B937B7FB4EB15F0444AB948997B84CB3C9DA5EF90

Function 05598BF0 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bca38a7b9201e1983765bd4d3cf50fa98a2015ee618f2d4fe2d31cb579613e
Instruction ID: efa00f8b6c0dfe30655051d9e5749084208d5ab52512e0b9054eb41c530aa794
Opcode Fuzzy Hash: f9bca38a7b9201e1983765bd4d3cf50fa98a2015ee618f2d4fe2d31cb579613e
Instruction Fuzzy Hash: 65D13834B00214AFDF09DFB4E8515AD77B2FF88659B60852AE416973A4DF3D9C02CB90

Function 05598BDF Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40c62794a607664335839348cb121d6d64b7b6e4feffbc08a355fbeb753c096
Instruction ID: a9a5b427d480a6b204f9ebc8759306d19ba51a1de76864ac35c35b6e31b55a05
Opcode Fuzzy Hash: e40c62794a607664335839348cb121d6d64b7b6e4feffbc08a355fbeb753c096
Instruction Fuzzy Hash: F4A11734B00214DFDB19DBB4E8516AD77B2FF88659B60852AE416973A4DF3D9C12CF80

Function 05598CF5 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982f0d6bafd1e8eb0db7c83ce3372560c31596b32990fe83e2a6763cf61d863d
Instruction ID: d46f71cedcd1657e07a13c0e6e4cfac3944dfef0d00fb5a25ddd7e212b1e006f
Opcode Fuzzy Hash: 982f0d6bafd1e8eb0db7c83ce3372560c31596b32990fe83e2a6763cf61d863d
Instruction Fuzzy Hash: F2913734B00214EFDB19DBB4E8516AD77B2FF88659B60852AE4169B3A4DF3D9C01CF80

Function 05598D53 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337a413bdc29711d49bf4f936f0bc0c7e9b2fa729b4601b9fd06c13ada587c25
Instruction ID: 673fcc5e157218098fa379a71800d46e4558673ece05ee9bac8d1e9a815afb4d
Opcode Fuzzy Hash: 337a413bdc29711d49bf4f936f0bc0c7e9b2fa729b4601b9fd06c13ada587c25
Instruction Fuzzy Hash: 70912834B00214EFDB19DBB4E451AAD77B2FF88619B60852AE416973A4DF3D9C51CF80

Function 05598DA3 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e717b9f06db6dca50a54ac7540204bb17671f286bfa3ee5845cffc33db6f3c7
Instruction ID: 7ef108cc626b27896a98db4eeec231edf64dac4bf407bae7aa870d58460f4043
Opcode Fuzzy Hash: 8e717b9f06db6dca50a54ac7540204bb17671f286bfa3ee5845cffc33db6f3c7
Instruction Fuzzy Hash: 01812834B00214DFDB19DBB4E851AAD77B2FF88619B60852AE416973A4DF3D9C51CF80

Function 05598E25 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8576ed9ed4f28670f3d50a5a4f639bf13e60da63b097584a8e78626993c14b5
Instruction ID: fcdfccadb117ab2a4f9d78628d76026d171d06f28f1686b66fd64314ebb4092c
Opcode Fuzzy Hash: a8576ed9ed4f28670f3d50a5a4f639bf13e60da63b097584a8e78626993c14b5
Instruction Fuzzy Hash: 43713934B00214DFDB199B74E45166D73B2FF88619B60852AE856977A4DF3D9C41CB80

Function 0559717B Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe3ce1e36c0b0de26aaa6089af4c1076af1bae135597bdc220fb767e205be5f
Instruction ID: 86eec89d5e728e8bb408e31f4a73c04d37e43836d5df607d044de38adc517b77
Opcode Fuzzy Hash: cbe3ce1e36c0b0de26aaa6089af4c1076af1bae135597bdc220fb767e205be5f
Instruction Fuzzy Hash: D951B0306242019FEF29CB76D8017A97BE2FB4A355F5882A6E412DB2D0DB3DD906CB50

Function 0559756E Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26baa72451ab54d08b589085ca470d76ecdfc9db60f96e9bbd5c9ba2e814f5c6
Instruction ID: 99d0f982ea85eaef85d3ae2d6fddc890c10ca66aae8d1f2f81e4b60b577f8033
Opcode Fuzzy Hash: 26baa72451ab54d08b589085ca470d76ecdfc9db60f96e9bbd5c9ba2e814f5c6
Instruction Fuzzy Hash: 7141B1307242019BEF28CB7698017A876E2FB4A755F5886A6E452DB2D0EF3DDD06CB50

Function 05590958 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6ff146bb1bcf16bdfd2f2c8eebad9ee67fc07573f2adb755a51dce198864da
Instruction ID: 7318d953f1cfc49ebee562789aea5801612fd1ba315d415d1143ced25242aba7
Opcode Fuzzy Hash: 4e6ff146bb1bcf16bdfd2f2c8eebad9ee67fc07573f2adb755a51dce198864da
Instruction Fuzzy Hash: 8931D030B002118FDB14AB78D8167BE73AAEB88619F50483A9505977E0EF3DAD5A87D1

Function 055994F0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e6ae906e308cd7a02b2e1af002e8e1107a779180c4f72fff5e372aa06dc7a6
Instruction ID: ccdb8755c9c109da19ed053348d1018e8a2708834bd31b2b800e62c1b33a2f0c
Opcode Fuzzy Hash: 61e6ae906e308cd7a02b2e1af002e8e1107a779180c4f72fff5e372aa06dc7a6
Instruction Fuzzy Hash: D2319E30B002059FEF18CF79D954BAEBBF6BF88614F144169E405AB390CB7898058B90

Function 05DA1F4C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110433573.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb2c64fae894b0f47bdbac10bb9a1e83ab87043d313420dcd8eb49ac2f0cd2b
Instruction ID: 71266d7f385fcea9409e0e62b03e1e7064620909afe52e118e25ecd0b867e38d
Opcode Fuzzy Hash: ccb2c64fae894b0f47bdbac10bb9a1e83ab87043d313420dcd8eb49ac2f0cd2b
Instruction Fuzzy Hash: 1F11EAB5A08301AFD350CF19D840A5BFBE4FB88664F04896EF898D7311D335EA048FA2

Function 05599210 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970be781275606e47e967af5e2f68b3077f234ef6dffd0447c4e0a8e070417f9
Instruction ID: 3867ab29ac7da5b2625f479640ac8d0b24a858fd967bf8805724052e20d92b63
Opcode Fuzzy Hash: 970be781275606e47e967af5e2f68b3077f234ef6dffd0447c4e0a8e070417f9
Instruction Fuzzy Hash: FD119E71F002149FCB64DBBCD8451AEBBF6EB89254720857ED805E7750EB398D02CB90

Function 016C0814 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102697463.00000000016C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b20f7e0f0de97eda7ee24dec44a6bbfc3db618ef2b902fe63f76c4f6cfa2865
Instruction ID: 288db6e5a15b361fa1b3072fb052fd198e226f5d36a01cc8c7f7ff7fd801e35a
Opcode Fuzzy Hash: 6b20f7e0f0de97eda7ee24dec44a6bbfc3db618ef2b902fe63f76c4f6cfa2865
Instruction Fuzzy Hash: 2011E438205240DFDB11CB14D944B27BBA5EB88B08F24C9ACF9490B743C77BD843CA91

Function 05590006 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e9afa61e3112de9ef5c61ea35c2da38e68faa7c8c640f8ab3f7fec87b39972
Instruction ID: 3f172bc13aa6faff08b86d0f0d1a33a190d7b51ed12568642c39d919a8ca6806
Opcode Fuzzy Hash: 72e9afa61e3112de9ef5c61ea35c2da38e68faa7c8c640f8ab3f7fec87b39972
Instruction Fuzzy Hash: 1611D72244E3C04FE3138B64DC66A803FB0AF57625B4E45DBD480CF2A7D66C985DD762

Function 05DA1DF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110433573.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536c369048865a57d0da1b9f29e937f0c066e4c5a63df0f1109efde2f569147b
Instruction ID: 2ab9819f695f1707dd51ed07aede484120881c470a3c3d119da114792166345d
Opcode Fuzzy Hash: 536c369048865a57d0da1b9f29e937f0c066e4c5a63df0f1109efde2f569147b
Instruction Fuzzy Hash: 3A11ECB5A08301AFD350CF09DC44E5BFBE8EB88660F14892EF95997311D235E9088BA2

Function 016EB0B4 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102778536.00000000016EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ea000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03d77769cc7df6b33ecccbde006f9a7f2e6a5bea97d7b0fbfb942d7fab02272
Instruction ID: 0844c0a68150ad6743fcfc854930d0f53ce984407c38670fe0f6343758af3eb1
Opcode Fuzzy Hash: c03d77769cc7df6b33ecccbde006f9a7f2e6a5bea97d7b0fbfb942d7fab02272
Instruction Fuzzy Hash: 8B11ECB5A08301AFD350CF09DC44E5BFBE8EB88660F14892EF95997311D235E9088FA2

Function 016C05E4 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102697463.00000000016C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2537a1758fff32841c58f6ccf4aba8e2f359e061325d61847d11c5e441c5bdfa
Instruction ID: 1237f5200567f0cff965edbe5cbc5fccd7b12324b91bdb6e8dd48e7105b37f28
Opcode Fuzzy Hash: 2537a1758fff32841c58f6ccf4aba8e2f359e061325d61847d11c5e441c5bdfa
Instruction Fuzzy Hash: FFF0A97650D7806FD7118B05AC55863FFB8DF86530709C5EFEC498B752D229A908CBB2

Function 016C0803 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102697463.00000000016C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e5788c7ee035bdb9d227f0878be9ef3109826bccc91f5837b7b8d485c4c06e
Instruction ID: 085d9e47958c6e247cd67bb5261c4a309778deace4656445b4ca60654dce94f1
Opcode Fuzzy Hash: a7e5788c7ee035bdb9d227f0878be9ef3109826bccc91f5837b7b8d485c4c06e
Instruction Fuzzy Hash: BF117335109380CFCB12CB10C950B15BFB1EB86604F19C6EEE4894B693C33A8806CB41

Function 05590878 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9959d7f729bb74c4670d69ed4ae9686175a803d81e3747007de2d268c8718176
Instruction ID: fd903ebcb5732ecdd4129912859036ff8f2920343ba4384ddb643cb76dea55a0
Opcode Fuzzy Hash: 9959d7f729bb74c4670d69ed4ae9686175a803d81e3747007de2d268c8718176
Instruction Fuzzy Hash: E411273461A2428FCB20EF38D95C54D7BE2ABC4619B04892CE585CB619EF389848DB82

Function 055900A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1dd28c1cd2c22da2f8acf683e8aec349ef9e6ed8118fa8df1c0c28c6b962ddf
Instruction ID: 6b94e34c2553f516c81520ec97c8a7f74836f2fa099f927d4121512da5660458
Opcode Fuzzy Hash: b1dd28c1cd2c22da2f8acf683e8aec349ef9e6ed8118fa8df1c0c28c6b962ddf
Instruction Fuzzy Hash: FDF0C232A013046BEB04DFB1CC1276E7FB7EB82624F1485AEE5819B2C0DA3A5841C380

Function 016C08D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102697463.00000000016C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c438a27276e0968fcdc2a499c6d87a0b64f2769294ce5e65665db8adb6b8d55a
Instruction ID: 9cb0a5fd288b2a5b297e257649440bdf3db2e735446886c6ef3e32aa1f6228d5
Opcode Fuzzy Hash: c438a27276e0968fcdc2a499c6d87a0b64f2769294ce5e65665db8adb6b8d55a
Instruction Fuzzy Hash: 7EF01D35104644DFC706CF04D980B26FBA2FB89718F24CAADE94917B52C737D813DA81

Function 016C0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102697463.00000000016C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16c0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a39849244bf198312d654fc5493964e7558e26118d9243559601417d338319
Instruction ID: b5d4fd0a794f93df0733336accb6edf403825ac544a619dbc19d75149bf19ab7
Opcode Fuzzy Hash: 45a39849244bf198312d654fc5493964e7558e26118d9243559601417d338319
Instruction Fuzzy Hash: 09E092B66046004B9650CF0AFD41456F7E8EB88630708C57FDC0D8BB01D235B508CAA5

Function 05DA1FB7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110433573.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e53927ae0963a0fc62675fcfcd6d8d6be4145525fa9a2ffdc997b83ed998d3d
Instruction ID: 268b192cd3a0722387389d114a54d48328afaf895eda8d864ca4ea7bd5959212
Opcode Fuzzy Hash: 3e53927ae0963a0fc62675fcfcd6d8d6be4145525fa9a2ffdc997b83ed998d3d
Instruction Fuzzy Hash: EAE0D8B264030067D3208E06AC46F52FBD8DB54A31F14C667ED081B741D176B51489F1

Function 05DA1863 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110433573.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25847dab6832a2513640d55dabb7cd9a0629e482f30762244c8fc1003410e7bc
Instruction ID: be423d8be6728be2dc5fbbe7552aa430e2c002e884728b4ed96aa1952178046e
Opcode Fuzzy Hash: 25847dab6832a2513640d55dabb7cd9a0629e482f30762244c8fc1003410e7bc
Instruction Fuzzy Hash: AAE0D8B2A0020067D2209E06AC49F53FBD8DB44A31F14CA67ED091B701D176B614C9E1

Function 05DA1E3F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4110433573.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca34b1d7001a1ed8698cc2a5cf2613c542baab18dccf21e7e2c86810d0a674
Instruction ID: 92ec531a394af4f907d53115881da6bd0fe648b49666b02ba810e1528030c134
Opcode Fuzzy Hash: 5eca34b1d7001a1ed8698cc2a5cf2613c542baab18dccf21e7e2c86810d0a674
Instruction Fuzzy Hash: B2E0D8B260030467D2609E06AC45F53FBD8DB44A31F18C667ED091B702D276B51489F1

Function 016EB103 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102778536.00000000016EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 016EA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ea000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8007a24400a502f0115b96de0f48d0bcb5e0c0f872b5cb3732d2c151bc30f64f
Instruction ID: 0888fa79797dfdf9370b53dad757cf35f25aa1162c51ec235400527869f5b757
Opcode Fuzzy Hash: 8007a24400a502f0115b96de0f48d0bcb5e0c0f872b5cb3732d2c151bc30f64f
Instruction Fuzzy Hash: C2E0D8B264020467D2208E06AC45F62F798DB54A31F14C667ED095B701D276B51489F1

Function 05594200 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86936bad9c9c1c3e6b4a781f3c75f0c3a5d4ac6aa8eb08c69a13139f15cfd05e
Instruction ID: 621a1921bebbf7d61c555c92173a70e07df1fc2f51b2f2efba743008659559ed
Opcode Fuzzy Hash: 86936bad9c9c1c3e6b4a781f3c75f0c3a5d4ac6aa8eb08c69a13139f15cfd05e
Instruction Fuzzy Hash: ADE0D63090A348EFCB41CFB4DA024EC3BF0AB02210B0041BAD809D3622EA361E09DB42

Function 055936A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ead9df320c4afe0c722054b2ff6eb24cc04645c360b9e47a71082f21d65f8a
Instruction ID: cbf0b1426869f4cd6c701305850f6dc2512c67c676f34120b4eea3edd222e6f0
Opcode Fuzzy Hash: 95ead9df320c4afe0c722054b2ff6eb24cc04645c360b9e47a71082f21d65f8a
Instruction Fuzzy Hash: C9E0C230242340CFCB1A5B7090290183BB1BF8321930004BFC446CB761EF3E8887CB00

Function 055994AF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6736d9546132485c954c8255630479a8fdd71a5c71372263823ac2016a077537
Instruction ID: c6fbde2433c69d89f18049bb0b02384cd268eb632f5aea4716ea64ccc773f810
Opcode Fuzzy Hash: 6736d9546132485c954c8255630479a8fdd71a5c71372263823ac2016a077537
Instruction Fuzzy Hash: D3E01270A4938D9FCB56CFF0EA150EC7FF4AA9221071041EFC84697262D9290F29DB41

Function 016D23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102713737.00000000016D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d2000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888a3ac0e88bf2ac7200167109c70f3149ca2f85ffddfbc7d784f3af0319fa2b
Instruction ID: 49123d148bfac28638343b2ec57f245f1c4b21c76cde38832fc78e0c813b1613
Opcode Fuzzy Hash: 888a3ac0e88bf2ac7200167109c70f3149ca2f85ffddfbc7d784f3af0319fa2b
Instruction Fuzzy Hash: 23D05E796066D14FE3279A1CCAA4F953BE4AB51718F4A44FDAC00CB763C768D5D1D600

Function 016D23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4102713737.00000000016D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d2000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d678d555248ed430ceaac47fb426ac315a9c2130a28be89b636f155de459cd
Instruction ID: 769c79c53e578efd8e1b4177a178a94c52ae36c6e398cdd9f6601b21d41c88ef
Opcode Fuzzy Hash: 85d678d555248ed430ceaac47fb426ac315a9c2130a28be89b636f155de459cd
Instruction Fuzzy Hash: E8D05E346002814FD725DA0CC6E4F593BD4AF80714F0644ECAC108B762CBA4D8D0DA00

Function 05594210 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4109979889.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34bd0fe86ba463d6104ca801e36c1aff3fd32376574b972546d6c3e5f59a012
Instruction ID: 3c1ee30fd3975ba471ff38a7a70fcde1ee328af38fc0b4f4832a1374b546f9d6
Opcode Fuzzy Hash: c34bd0fe86ba463d6104ca801e36c1aff3fd32376574b972546d6c3e5f59a012
Instruction Fuzzy Hash: 95D0A930E01208EF8B00DFA8DD0089DB7F8EB05204B0001AAA809D3700EE321E04DB81

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report server.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Explower.exe

C:\Program Files (x86)\Explower.exe:Zone.Identifier

C:\Users\user\AppData\Local\Explower.exe

C:\Users\user\AppData\Local\Explower.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Windows Analysis Report
server.exe

Function 05594298 Relevance: 5.7, Strings: 3, Instructions: 1950
COMMON

Function 05594269 Relevance: 5.5, Strings: 3, Instructions: 1761
COMMON

Function 05593802 Relevance: 3.0, Strings: 2, Instructions: 497
COMMON

Function 055900B8 Relevance: 2.6, Strings: 2, Instructions: 95
COMMON

Function 05590118 Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Function 056C1FAA Relevance: 1.6, APIs: 1, Instructions: 129
registryCOMMON

Function 056C0597 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Function 016DB1E6 Relevance: 1.6, APIs: 1, Instructions: 97
registryCOMMON

Function 016DAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 056C122C Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Function 056C0B28 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 016DB2D9 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Function 016DB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON