Edit tour

Windows Analysis Report
Gv10VZCeN7.exe

Overview

General Information

Sample name:	Gv10VZCeN7.exe renamed because original name is a hash value
Original sample name:	1ed0c2e213e674c8a95694c9e19361c7.exe
Analysis ID:	1589384
MD5:	1ed0c2e213e674c8a95694c9e19361c7
SHA1:	05446e3404b3171264fc344bf4013eb8ea2cf740
SHA256:	6dfe16f82116f1537efcac4f015247d28339062bcbaa7fc75c9486caa76a9d0d
Tags:	exenjratRATuser-abuse_ch
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Njrat

AI detected suspicious sample

Creates autorun.inf (USB autostart)

Disables the Windows task manager (taskmgr)

Disables zone checking for all users

Drops PE files to the document folder of the user

Drops PE files to the startup folder

Drops PE files to the user root directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Gv10VZCeN7.exe (PID: 4208 cmdline: "C:\Users\user\Desktop\Gv10VZCeN7.exe" MD5: 1ED0C2E213E674C8A95694C9E19361C7)

server.exe (PID: 5252 cmdline: "C:\Users\user\server.exe" MD5: 1ED0C2E213E674C8A95694C9E19361C7)

netsh.exe (PID: 3176 cmdline: netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6432 cmdline: netsh firewall delete allowedprogram "C:\Users\user\server.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 5520 cmdline: netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

364d88128926b2e822553333b20c197fWindows Update.exe (PID: 3092 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe" MD5: 1ED0C2E213E674C8A95694C9E19361C7)

364d88128926b2e822553333b20c197fWindows Update.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe" MD5: 1ED0C2E213E674C8A95694C9E19361C7)

Discord.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe" MD5: 1ED0C2E213E674C8A95694C9E19361C7)

Explower.exe (PID: 2220 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe" MD5: 1ED0C2E213E674C8A95694C9E19361C7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "debil", "Version": "0.7d", "Install Name": "364d88128926b2e822553333b20c197f", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Gv10VZCeN7.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Gv10VZCeN7.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
Gv10VZCeN7.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
Gv10VZCeN7.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
Gv10VZCeN7.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
Gv10VZCeN7.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Explower.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Program Files (x86)\Explower.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
C:\Program Files (x86)\Explower.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Program Files (x86)\Explower.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Program Files (x86)\Explower.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Notepad.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Notepad.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Notepad.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Notepad.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Notepad.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
C:\Notepad.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Notepad.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Umbrella.flv.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Umbrella.flv.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Umbrella.flv.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Umbrella.flv.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Users\user\server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Umbrella.flv.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
C:\Umbrella.flv.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
C:\Users\user\server.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
C:\Users\user\server.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\server.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Umbrella.flv.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Umbrella.flv.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Umbrella.flv.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Umbrella.flv.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Umbrella.flv.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
Click to see the 85 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115f2:$a1: get_Registry 0x15a59:$a2: SEE_MASK_NOZONECHECKS 0x156fb:$a3: Download ERROR 0x15cab:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c38:$a5: netsh firewall delete allowedprogram "
00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a59:$reg: SEE_MASK_NOZONECHECKS 0x156df:$msg: Execute ERROR 0x15733:$msg: Execute ERROR 0x15cab:$ping: cmd.exe /c ping 0 -n 2 & del
00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x15839:$a2: SEE_MASK_NOZONECHECKS 0x154db:$a3: Download ERROR 0x15a8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13a18:$a5: netsh firewall delete allowedprogram "
00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15839:$reg: SEE_MASK_NOZONECHECKS 0x154bf:$msg: Execute ERROR 0x15513:$msg: Execute ERROR 0x15a8b:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: Gv10VZCeN7.exe PID: 4208	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: server.exe PID: 5252	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Gv10VZCeN7.exe.620000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.Gv10VZCeN7.exe.620000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x15a39:$a2: SEE_MASK_NOZONECHECKS 0x156db:$a3: Download ERROR 0x15c8b:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13c18:$a5: netsh firewall delete allowedprogram "
0.0.Gv10VZCeN7.exe.620000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c8b:$x1: cmd.exe /c ping 0 -n 2 & del " 0x137a4:$s1: winmgmts:\\.\root\SecurityCenter2 0x156f9:$s3: Executed As 0x124f0:$s5: Stub.exe 0x156db:$s6: Download ERROR 0x13766:$s8: Select * From AntiVirusProduct
0.0.Gv10VZCeN7.exe.620000.0.unpack	crimeware_njrat_strings	Detects njRAT based on some strings	Sekoia.io	0x1547d:$: set cdaudio door closed 0x15441:$: set cdaudio door open 0x15ca1:$: ping 0 0x13412:$: [endof] 0x132cc:$: TiGeR-Firewall 0x132fa:$: NetSnifferCs 0x132b8:$: IPBlocker 0x13314:$: Sandboxie Control
0.0.Gv10VZCeN7.exe.620000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a39:$reg: SEE_MASK_NOZONECHECKS 0x156bf:$msg: Execute ERROR 0x15713:$msg: Execute ERROR 0x15c8b:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.Gv10VZCeN7.exe.620000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13c18:$s1: netsh firewall delete allowedprogram 0x13c6a:$s2: netsh firewall add allowedprogram 0x15c8b:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x156bf:$s4: Execute ERROR 0x15713:$s4: Execute ERROR 0x156db:$s5: Download ERROR
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\server.exe, ProcessId: 5252, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe

Suricata Signatures

ET MALWARE Bladabindi/njRAT CnC Command (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T04:22:10.317562+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49704	178.215.236.227	4411	TCP
2025-01-12T04:22:12.511500+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49705	178.215.236.227	4411	TCP
2025-01-12T04:22:15.072271+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49706	178.215.236.227	4411	TCP
2025-01-12T04:22:17.754342+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49707	178.215.236.227	4411	TCP
2025-01-12T04:22:20.231848+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49709	178.215.236.227	4411	TCP
2025-01-12T04:22:22.826585+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49718	178.215.236.227	4411	TCP
2025-01-12T04:22:25.506261+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49735	178.215.236.227	4411	TCP
2025-01-12T04:22:28.059981+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49748	178.215.236.227	4411	TCP
2025-01-12T04:22:30.603246+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49762	178.215.236.227	4411	TCP
2025-01-12T04:22:33.234000+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49777	178.215.236.227	4411	TCP
2025-01-12T04:22:36.251465+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49788	178.215.236.227	4411	TCP
2025-01-12T04:22:38.738651+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49803	178.215.236.227	4411	TCP
2025-01-12T04:22:41.166350+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49819	178.215.236.227	4411	TCP
2025-01-12T04:22:44.124554+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49833	178.215.236.227	4411	TCP
2025-01-12T04:22:46.687172+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49849	178.215.236.227	4411	TCP
2025-01-12T04:22:49.359495+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49865	178.215.236.227	4411	TCP
2025-01-12T04:22:51.988044+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49881	178.215.236.227	4411	TCP
2025-01-12T04:22:54.490093+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49897	178.215.236.227	4411	TCP
2025-01-12T04:22:57.104085+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49910	178.215.236.227	4411	TCP
2025-01-12T04:22:59.603584+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49928	178.215.236.227	4411	TCP
2025-01-12T04:23:02.417591+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49943	178.215.236.227	4411	TCP
2025-01-12T04:23:04.962457+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49962	178.215.236.227	4411	TCP
2025-01-12T04:23:07.510300+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49978	178.215.236.227	4411	TCP
2025-01-12T04:23:10.072428+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49991	178.215.236.227	4411	TCP
2025-01-12T04:23:12.635465+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49998	178.215.236.227	4411	TCP
2025-01-12T04:23:15.205821+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	49999	178.215.236.227	4411	TCP
2025-01-12T04:23:18.154861+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50000	178.215.236.227	4411	TCP
2025-01-12T04:23:20.340859+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50001	178.215.236.227	4411	TCP
2025-01-12T04:23:22.919125+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50002	178.215.236.227	4411	TCP
2025-01-12T04:23:25.484397+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50003	178.215.236.227	4411	TCP
2025-01-12T04:23:28.041838+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50004	178.215.236.227	4411	TCP
2025-01-12T04:23:31.278781+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50005	178.215.236.227	4411	TCP
2025-01-12T04:23:33.978208+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50006	178.215.236.227	4411	TCP
2025-01-12T04:23:36.543124+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50007	178.215.236.227	4411	TCP
2025-01-12T04:23:39.101567+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50008	178.215.236.227	4411	TCP
2025-01-12T04:23:41.689312+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50009	178.215.236.227	4411	TCP
2025-01-12T04:23:44.251176+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50010	178.215.236.227	4411	TCP
2025-01-12T04:23:46.812129+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50011	178.215.236.227	4411	TCP
2025-01-12T04:23:53.779714+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50012	178.215.236.227	4411	TCP
2025-01-12T04:23:57.470603+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50013	178.215.236.227	4411	TCP
2025-01-12T04:23:59.969035+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50014	178.215.236.227	4411	TCP
2025-01-12T04:24:04.229677+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50015	178.215.236.227	4411	TCP
2025-01-12T04:24:07.185304+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50016	178.215.236.227	4411	TCP
2025-01-12T04:24:09.747641+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50017	178.215.236.227	4411	TCP
2025-01-12T04:24:12.332065+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50018	178.215.236.227	4411	TCP
2025-01-12T04:24:14.897831+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50019	178.215.236.227	4411	TCP
2025-01-12T04:24:17.453736+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50020	178.215.236.227	4411	TCP
2025-01-12T04:24:33.213631+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50021	178.215.236.227	4411	TCP
2025-01-12T04:24:36.525406+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50022	178.215.236.227	4411	TCP
2025-01-12T04:24:39.348273+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50023	178.215.236.227	4411	TCP
2025-01-12T04:24:42.096740+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50024	178.215.236.227	4411	TCP
2025-01-12T04:24:44.649120+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50025	178.215.236.227	4411	TCP
2025-01-12T04:24:49.227274+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50026	178.215.236.227	4411	TCP
2025-01-12T04:24:51.818623+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50027	178.215.236.227	4411	TCP
2025-01-12T04:24:54.526103+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50028	178.215.236.227	4411	TCP
2025-01-12T04:24:57.084418+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50029	178.215.236.227	4411	TCP
2025-01-12T04:24:59.727935+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50030	178.215.236.227	4411	TCP
2025-01-12T04:25:02.294495+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50031	178.215.236.227	4411	TCP
2025-01-12T04:25:04.838352+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50032	178.215.236.227	4411	TCP
2025-01-12T04:25:07.566773+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50033	178.215.236.227	4411	TCP
2025-01-12T04:25:10.058312+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50034	178.215.236.227	4411	TCP
2025-01-12T04:25:12.650832+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50035	178.215.236.227	4411	TCP
2025-01-12T04:25:17.174700+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50036	178.215.236.227	4411	TCP
2025-01-12T04:25:21.035332+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50037	178.215.236.227	4411	TCP
2025-01-12T04:25:23.089087+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50038	178.215.236.227	4411	TCP
2025-01-12T04:25:25.667622+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50039	178.215.236.227	4411	TCP
2025-01-12T04:25:28.200676+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50040	178.215.236.227	4411	TCP
2025-01-12T04:25:30.746919+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50041	178.215.236.227	4411	TCP
2025-01-12T04:25:33.299500+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50042	178.215.236.227	4411	TCP
2025-01-12T04:25:35.854273+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50043	178.215.236.227	4411	TCP
2025-01-12T04:25:38.549790+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50044	178.215.236.227	4411	TCP
2025-01-12T04:25:41.103550+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50045	178.215.236.227	4411	TCP
2025-01-12T04:25:44.495051+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50046	178.215.236.227	4411	TCP
2025-01-12T04:25:46.839517+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50047	178.215.236.227	4411	TCP
2025-01-12T04:25:49.475532+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50048	178.215.236.227	4411	TCP
2025-01-12T04:25:52.010916+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50049	178.215.236.227	4411	TCP
2025-01-12T04:25:54.560745+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50050	178.215.236.227	4411	TCP
2025-01-12T04:25:57.426206+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50051	178.215.236.227	4411	TCP
2025-01-12T04:26:03.371823+0100	2021176	1	Malware Command and Control Activity Detected	192.168.2.5	50052	178.215.236.227	4411	TCP

ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T04:22:10.317562+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49704	178.215.236.227	4411	TCP
2025-01-12T04:22:12.511500+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49705	178.215.236.227	4411	TCP
2025-01-12T04:22:15.072271+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49706	178.215.236.227	4411	TCP
2025-01-12T04:22:17.754342+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49707	178.215.236.227	4411	TCP
2025-01-12T04:22:20.231848+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49709	178.215.236.227	4411	TCP
2025-01-12T04:22:22.826585+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49718	178.215.236.227	4411	TCP
2025-01-12T04:22:25.506261+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49735	178.215.236.227	4411	TCP
2025-01-12T04:22:28.059981+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49748	178.215.236.227	4411	TCP
2025-01-12T04:22:30.603246+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49762	178.215.236.227	4411	TCP
2025-01-12T04:22:33.234000+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49777	178.215.236.227	4411	TCP
2025-01-12T04:22:36.251465+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49788	178.215.236.227	4411	TCP
2025-01-12T04:22:38.738651+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49803	178.215.236.227	4411	TCP
2025-01-12T04:22:41.166350+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49819	178.215.236.227	4411	TCP
2025-01-12T04:22:44.124554+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49833	178.215.236.227	4411	TCP
2025-01-12T04:22:46.687172+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49849	178.215.236.227	4411	TCP
2025-01-12T04:22:49.359495+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49865	178.215.236.227	4411	TCP
2025-01-12T04:22:51.988044+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49881	178.215.236.227	4411	TCP
2025-01-12T04:22:54.490093+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49897	178.215.236.227	4411	TCP
2025-01-12T04:22:57.104085+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49910	178.215.236.227	4411	TCP
2025-01-12T04:22:59.603584+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49928	178.215.236.227	4411	TCP
2025-01-12T04:23:02.417591+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49943	178.215.236.227	4411	TCP
2025-01-12T04:23:04.962457+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49962	178.215.236.227	4411	TCP
2025-01-12T04:23:07.510300+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49978	178.215.236.227	4411	TCP
2025-01-12T04:23:10.072428+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49991	178.215.236.227	4411	TCP
2025-01-12T04:23:12.635465+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49998	178.215.236.227	4411	TCP
2025-01-12T04:23:15.205821+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	49999	178.215.236.227	4411	TCP
2025-01-12T04:23:18.154861+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50000	178.215.236.227	4411	TCP
2025-01-12T04:23:20.340859+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50001	178.215.236.227	4411	TCP
2025-01-12T04:23:22.919125+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50002	178.215.236.227	4411	TCP
2025-01-12T04:23:25.484397+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50003	178.215.236.227	4411	TCP
2025-01-12T04:23:28.041838+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50004	178.215.236.227	4411	TCP
2025-01-12T04:23:31.278781+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50005	178.215.236.227	4411	TCP
2025-01-12T04:23:33.978208+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50006	178.215.236.227	4411	TCP
2025-01-12T04:23:36.543124+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50007	178.215.236.227	4411	TCP
2025-01-12T04:23:39.101567+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50008	178.215.236.227	4411	TCP
2025-01-12T04:23:41.689312+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50009	178.215.236.227	4411	TCP
2025-01-12T04:23:44.251176+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50010	178.215.236.227	4411	TCP
2025-01-12T04:23:46.812129+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50011	178.215.236.227	4411	TCP
2025-01-12T04:23:53.779714+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50012	178.215.236.227	4411	TCP
2025-01-12T04:23:57.470603+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50013	178.215.236.227	4411	TCP
2025-01-12T04:23:59.969035+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50014	178.215.236.227	4411	TCP
2025-01-12T04:24:04.229677+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50015	178.215.236.227	4411	TCP
2025-01-12T04:24:07.185304+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50016	178.215.236.227	4411	TCP
2025-01-12T04:24:09.747641+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50017	178.215.236.227	4411	TCP
2025-01-12T04:24:12.332065+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50018	178.215.236.227	4411	TCP
2025-01-12T04:24:14.897831+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50019	178.215.236.227	4411	TCP
2025-01-12T04:24:17.453736+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50020	178.215.236.227	4411	TCP
2025-01-12T04:24:33.213631+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50021	178.215.236.227	4411	TCP
2025-01-12T04:24:36.525406+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50022	178.215.236.227	4411	TCP
2025-01-12T04:24:39.348273+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50023	178.215.236.227	4411	TCP
2025-01-12T04:24:42.096740+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50024	178.215.236.227	4411	TCP
2025-01-12T04:24:44.649120+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50025	178.215.236.227	4411	TCP
2025-01-12T04:24:49.227274+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50026	178.215.236.227	4411	TCP
2025-01-12T04:24:51.818623+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50027	178.215.236.227	4411	TCP
2025-01-12T04:24:54.526103+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50028	178.215.236.227	4411	TCP
2025-01-12T04:24:57.084418+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50029	178.215.236.227	4411	TCP
2025-01-12T04:24:59.727935+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50030	178.215.236.227	4411	TCP
2025-01-12T04:25:02.294495+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50031	178.215.236.227	4411	TCP
2025-01-12T04:25:04.838352+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50032	178.215.236.227	4411	TCP
2025-01-12T04:25:07.566773+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50033	178.215.236.227	4411	TCP
2025-01-12T04:25:10.058312+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50034	178.215.236.227	4411	TCP
2025-01-12T04:25:12.650832+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50035	178.215.236.227	4411	TCP
2025-01-12T04:25:17.174700+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50036	178.215.236.227	4411	TCP
2025-01-12T04:25:21.035332+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50037	178.215.236.227	4411	TCP
2025-01-12T04:25:23.089087+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50038	178.215.236.227	4411	TCP
2025-01-12T04:25:25.667622+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50039	178.215.236.227	4411	TCP
2025-01-12T04:25:28.200676+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50040	178.215.236.227	4411	TCP
2025-01-12T04:25:30.746919+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50041	178.215.236.227	4411	TCP
2025-01-12T04:25:33.299500+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50042	178.215.236.227	4411	TCP
2025-01-12T04:25:35.854273+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50043	178.215.236.227	4411	TCP
2025-01-12T04:25:38.549790+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50044	178.215.236.227	4411	TCP
2025-01-12T04:25:41.103550+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50045	178.215.236.227	4411	TCP
2025-01-12T04:25:44.495051+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50046	178.215.236.227	4411	TCP
2025-01-12T04:25:46.839517+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50047	178.215.236.227	4411	TCP
2025-01-12T04:25:49.475532+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50048	178.215.236.227	4411	TCP
2025-01-12T04:25:52.010916+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50049	178.215.236.227	4411	TCP
2025-01-12T04:25:54.560745+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50050	178.215.236.227	4411	TCP
2025-01-12T04:25:57.426206+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50051	178.215.236.227	4411	TCP
2025-01-12T04:26:03.371823+0100	2033132	1	Malware Command and Control Activity Detected	192.168.2.5	50052	178.215.236.227	4411	TCP

ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T04:22:44.336896+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	49833	178.215.236.227	4411	TCP
2025-01-12T04:23:02.554734+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	49943	178.215.236.227	4411	TCP
2025-01-12T04:24:36.625895+0100	2825564	1	Malware Command and Control Activity Detected	192.168.2.5	50022	178.215.236.227	4411	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Gv10VZCeN7.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Notepad.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Umbrella.flv.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\server.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "debil", "Version": "0.7d", "Install Name": "364d88128926b2e822553333b20c197f", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for dropped file

Source: C:\Notepad.exe	ReversingLabs: Detection: 95%
Source: C:\Notepad.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Program Files (x86)\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Explower.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Umbrella.flv.exe	ReversingLabs: Detection: 95%
Source: C:\Umbrella.flv.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Local\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Explower.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Documents\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Favorites\Explower.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\server.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Explower.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: Gv10VZCeN7.exe	Virustotal: Detection: 70%			Perma Link
Source: Gv10VZCeN7.exe	ReversingLabs: Detection: 95%

Yara detected Njrat

Source: Yara match	File source: Gv10VZCeN7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Gv10VZCeN7.exe PID: 4208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5252, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Joe Sandbox ML: detected
Source: C:\Notepad.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Umbrella.flv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\server.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Gv10VZCeN7.exe

Joe Sandbox ML: detected

Source: Gv10VZCeN7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Gv10VZCeN7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Creates autorun.inf (USB autostart)

Source: C:\Users\user\server.exe

File created: C:\autorun.inf

Jump to behavior

Source: Gv10VZCeN7.exe, 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: Gv10VZCeN7.exe, 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Gv10VZCeN7.exe, 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Gv10VZCeN7.exe, 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: Gv10VZCeN7.exe, 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: Gv10VZCeN7.exe, 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf$OPk
Source: Gv10VZCeN7.exe	Binary or memory string: \autorun.inf
Source: Gv10VZCeN7.exe	Binary or memory string: [autorun]
Source: Gv10VZCeN7.exe	Binary or memory string: autorun.inf
Source: Discord.exe.2.dr	Binary or memory string: \autorun.inf
Source: Discord.exe.2.dr	Binary or memory string: [autorun]
Source: Discord.exe.2.dr	Binary or memory string: autorun.inf
Source: autorun.inf.2.dr	Binary or memory string: [autorun]
Source: Notepad.exe.2.dr	Binary or memory string: \autorun.inf
Source: Notepad.exe.2.dr	Binary or memory string: [autorun]
Source: Notepad.exe.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe7.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe7.2.dr	Binary or memory string: [autorun]
Source: Explower.exe7.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe2.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe2.2.dr	Binary or memory string: [autorun]
Source: Explower.exe2.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe5.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe5.2.dr	Binary or memory string: [autorun]
Source: Explower.exe5.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe4.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe4.2.dr	Binary or memory string: [autorun]
Source: Explower.exe4.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe0.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe0.2.dr	Binary or memory string: [autorun]
Source: Explower.exe0.2.dr	Binary or memory string: autorun.inf
Source: 364d88128926b2e822553333b20c197fWindows Update.exe.2.dr	Binary or memory string: \autorun.inf
Source: 364d88128926b2e822553333b20c197fWindows Update.exe.2.dr	Binary or memory string: [autorun]
Source: 364d88128926b2e822553333b20c197fWindows Update.exe.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe8.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe8.2.dr	Binary or memory string: [autorun]
Source: Explower.exe8.2.dr	Binary or memory string: autorun.inf
Source: Umbrella.flv.exe.2.dr	Binary or memory string: \autorun.inf
Source: Umbrella.flv.exe.2.dr	Binary or memory string: [autorun]
Source: Umbrella.flv.exe.2.dr	Binary or memory string: autorun.inf
Source: server.exe.0.dr	Binary or memory string: \autorun.inf
Source: server.exe.0.dr	Binary or memory string: [autorun]
Source: server.exe.0.dr	Binary or memory string: autorun.inf
Source: Explower.exe1.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe1.2.dr	Binary or memory string: [autorun]
Source: Explower.exe1.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe.2.dr	Binary or memory string: [autorun]
Source: Explower.exe.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe3.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe3.2.dr	Binary or memory string: [autorun]
Source: Explower.exe3.2.dr	Binary or memory string: autorun.inf
Source: Explower.exe6.2.dr	Binary or memory string: \autorun.inf
Source: Explower.exe6.2.dr	Binary or memory string: [autorun]
Source: Explower.exe6.2.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49705 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49705 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49709 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49704 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49704 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49709 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49707 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49706 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49707 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49706 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49735 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49735 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49718 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49718 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49762 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49762 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49788 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49788 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49803 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49803 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49819 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49819 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49833 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49777 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49777 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49833 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49748 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49748 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49849 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49849 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49833 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49910 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49910 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49881 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49881 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49897 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49897 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49978 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49978 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49928 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49943 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49928 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49943 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49943 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49991 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49991 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49865 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50001 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50001 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50000 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50000 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50012 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49998 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50008 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49865 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50012 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50006 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50006 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49998 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50016 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50007 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50008 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50018 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50018 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49999 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50007 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50023 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49999 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50023 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50011 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50031 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50025 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50011 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50016 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50025 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50031 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50036 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50009 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50033 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50033 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50021 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50039 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50036 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50049 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50021 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50039 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50020 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50020 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50017 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50047 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50041 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50043 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50041 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50043 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50027 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50049 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50050 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50051 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50002 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50051 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50005 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50002 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50005 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50032 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50032 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50009 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50047 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50013 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50034 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50019 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50034 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50010 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50019 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50010 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50038 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50038 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50050 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49962 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50048 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50026 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50048 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49962 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50014 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50014 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50044 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50044 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50017 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50052 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50052 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50028 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50027 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50026 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50004 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50045 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50029 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50037 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50045 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50013 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50046 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50046 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50042 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50042 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50004 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50024 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50037 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50024 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50029 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50030 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50030 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50040 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50040 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50035 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50035 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50028 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50003 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50003 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50015 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50015 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:50022 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:50022 -> 178.215.236.227:4411
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:50022 -> 178.215.236.227:4411

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 178.215.236.227:4411

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227
Source: unknown	TCP traffic detected without corresponding DNS query: 178.215.236.227

Source: Explower.exe, 0000000F.00000002.2385063463.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: server.exe, 00000002.00000002.4479035775.0000000000E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: server.exe, 00000002.00000002.4479035775.0000000000E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\server.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: Gv10VZCeN7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Gv10VZCeN7.exe PID: 4208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5252, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Notepad.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Detects njRAT based on some strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\server.exe	Code function: 2_2_00CDBF22 NtQuerySystemInformation,		2_2_00CDBF22
Source: C:\Users\user\server.exe	Code function: 2_2_00CDBEF1 NtQuerySystemInformation,		2_2_00CDBEF1

Source: C:\Users\user\server.exe

File created: C:\Windows\SysWOW64\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4290	0_2_04DF4290
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF50DB	0_2_04DF50DB
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF5055	0_2_04DF5055
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4B53	0_2_04DF4B53
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF47CC	0_2_04DF47CC
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF427F	0_2_04DF427F
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4FF8	0_2_04DF4FF8
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF49F1	0_2_04DF49F1
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF44E9	0_2_04DF44E9
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF5367	0_2_04DF5367
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4F95	0_2_04DF4F95
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4995	0_2_04DF4995
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4707	0_2_04DF4707
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4C87	0_2_04DF4C87
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF453C	0_2_04DF453C
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF492E	0_2_04DF492E
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4628	0_2_04DF4628
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF4F27	0_2_04DF4F27
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Code function: 0_2_04DF5451	0_2_04DF5451
Source: C:\Users\user\server.exe	Code function: 2_2_04EC7AA0	2_2_04EC7AA0
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4298	2_2_04EC4298
Source: C:\Users\user\server.exe	Code function: 2_2_04EC7667	2_2_04EC7667
Source: C:\Users\user\server.exe	Code function: 2_2_04EC49F9	2_2_04EC49F9
Source: C:\Users\user\server.exe	Code function: 2_2_04EC44F1	2_2_04EC44F1
Source: C:\Users\user\server.exe	Code function: 2_2_04EC47D4	2_2_04EC47D4
Source: C:\Users\user\server.exe	Code function: 2_2_04EC499D	2_2_04EC499D
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4269	2_2_04EC4269
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4544	2_2_04EC4544
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4B5B	2_2_04EC4B5B
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4936	2_2_04EC4936
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4630	2_2_04EC4630
Source: C:\Users\user\server.exe	Code function: 2_2_04EC470F	2_2_04EC470F
Source: C:\Users\user\server.exe	Code function: 2_2_04EC50E3	2_2_04EC50E3
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4C8F	2_2_04EC4C8F
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4F9D	2_2_04EC4F9D
Source: C:\Users\user\server.exe	Code function: 2_2_04EC536F	2_2_04EC536F
Source: C:\Users\user\server.exe	Code function: 2_2_04EC505D	2_2_04EC505D
Source: C:\Users\user\server.exe	Code function: 2_2_04EC5459	2_2_04EC5459
Source: C:\Users\user\server.exe	Code function: 2_2_04EC4F2F	2_2_04EC4F2F
Source: C:\Users\user\server.exe	Code function: 2_2_04EC5000	2_2_04EC5000

Source: Gv10VZCeN7.exe, 00000000.00000002.2049173719.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs Gv10VZCeN7.exe

Source: Gv10VZCeN7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: Gv10VZCeN7.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Program Files (x86)\Explower.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Notepad.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Notepad.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Notepad.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Notepad.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Notepad.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Notepad.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Notepad.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Notepad.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@16/24@0/1

Source: C:\Users\user\server.exe	Code function: 2_2_00CDBDA6 AdjustTokenPrivileges,		2_2_00CDBDA6
Source: C:\Users\user\server.exe	Code function: 2_2_00CDBD6F AdjustTokenPrivileges,		2_2_00CDBD6F

Source: C:\Users\user\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2128:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Users\user\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\364d88128926b2e822553333b20c197f
Source: C:\Users\user\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt

Jump to behavior

Source: Gv10VZCeN7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Gv10VZCeN7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Gv10VZCeN7.exe	Virustotal: Detection: 70%
Source: Gv10VZCeN7.exe	ReversingLabs: Detection: 95%

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File read: C:\Users\user\Desktop\Gv10VZCeN7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Gv10VZCeN7.exe "C:\Users\user\Desktop\Gv10VZCeN7.exe"
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\server.exe"
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"	Jump to behavior
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE	Jump to behavior
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\server.exe"	Jump to behavior
Source: C:\Users\user\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Section loaded: shfolder.dll	Jump to behavior

Source: C:\Users\user\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Gv10VZCeN7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: Gv10VZCeN7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\server.exe

File created: C:\Users\user\Documents\Explower.exe

Jump to dropped file

Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\Desktop\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Notepad.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Windows\SysWOW64\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Program Files (x86)\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Local\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Umbrella.flv.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\Favorites\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\Documents\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	File created: C:\Users\user\server.exe	Jump to dropped file

Source: C:\Users\user\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File created: C:\Users\user\server.exe

Jump to dropped file

Source: C:\Users\user\server.exe

File created: C:\Windows\SysWOW64\Explower.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to dropped file
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Jump to dropped file

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

File created: C:\Users\user\server.exe

Jump to dropped file

Source: C:\Users\user\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe

Jump to behavior

Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Jump to behavior
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Jump to behavior
Source: C:\Users\user\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Memory allocated: E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Memory allocated: FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 4D20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 5F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 6F90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 70C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 83C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 8620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 9620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: A620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: B620000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: BAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: BAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: CAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: DAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: EAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: FAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 10AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 11AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 12AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: A800000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 13AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 14AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 15AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 16AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 17AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 15AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 18AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 19AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1AAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1BAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1CAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1DAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1EAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1FAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 20AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: B6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: B820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: C5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: D5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: E5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: F5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 105E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 115E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 125E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 135E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 145E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 155E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 165E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 175E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 185E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 195E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1B5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1C5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1D5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1E5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 1F5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 205E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 215E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 225E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 235E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 245E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 25890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 26890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 27890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 28890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 29890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 2A890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 2B890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 2C890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 2D890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 2E890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 2F890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 30890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 31890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 32890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 33890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 34890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 35890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 36890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 37890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 38890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 116E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 126E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: CE60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: DE60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 136E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 146E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: D4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: D720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: E720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: F720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 156E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 166E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 176E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\server.exe	Memory allocated: 186E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Memory allocated: C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Memory allocated: 2840000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Memory allocated: 4E60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Memory allocated: 4FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\server.exe	Window / User API: threadDelayed 2833	Jump to behavior
Source: C:\Users\user\server.exe	Window / User API: threadDelayed 1844	Jump to behavior
Source: C:\Users\user\server.exe	Window / User API: foregroundWindowGot 477	Jump to behavior
Source: C:\Users\user\server.exe	Window / User API: foregroundWindowGot 502	Jump to behavior
Source: C:\Users\user\server.exe	Window / User API: foregroundWindowGot 359	Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe TID: 7084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\server.exe TID: 4028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\server.exe TID: 5752	Thread sleep time: -1416500s >= -30000s	Jump to behavior
Source: C:\Users\user\server.exe TID: 5592	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\server.exe TID: 5752	Thread sleep time: -922000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe TID: 2956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 2284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\server.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: netsh.exe, 00000005.00000003.2115220192.0000000000B31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: netsh.exe, 00000006.00000002.2139559727.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: Gv10VZCeN7.exe, 00000000.00000002.2049173719.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\|A
Source: server.exe, 00000002.00000002.4479035775.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.2070019618.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\server.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Gv10VZCeN7.exe

Process created: C:\Users\user\server.exe "C:\Users\user\server.exe"

Jump to behavior

Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:35 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:03 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:34 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 17:02:23 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:23 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 12:02:43 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:36 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:11:18 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 17:51:00 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:51 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:56 - Program Manager
Source: server.exe, 00000002.00000002.4478833737.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Rh Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 23:12:21 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:14 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:26 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 06:51:53 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:02 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:42 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 10:31:35 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:34:39 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 11:50:24 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:52 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:25:21 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 23:53:14 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:55 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 23:38:45 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:42 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:57:00 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 17:02:52 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:18 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 10:04:00 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:26 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:27:48 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:46 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:14 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:34 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:44 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:53 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 19:23:38 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 05:17:36 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 11:40:10 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:13 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 07:44:30 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 23:10:18 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:27:00 - Program Manager
Source: Gv10VZCeN7.exe, 00000000.00000002.2050647648.000000000505B000.00000004.00000010.00020000.00000000.sdmp, Gv10VZCeN7.exe, 00000000.00000002.2050289009.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, Gv10VZCeN7.exe, 00000000.00000002.2050289009.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Gv10VZCeN7.exe, Discord.exe.2.dr, Notepad.exe.2.dr, Explower.exe7.2.dr, Explower.exe2.2.dr, Explower.exe5.2.dr, Explower.exe4.2.dr, Explower.exe0.2.dr, 364d88128926b2e822553333b20c197fWindows Update.exe.2.dr, Explower.exe8.2.dr, Umbrella.flv.exe.2.dr	Binary or memory string: ProgMan
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 178.215.236.22724 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 17:03:04 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:41 - Program Manager
Source: Gv10VZCeN7.exe, 00000000.00000002.2050289009.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, Gv10VZCeN7.exe, 00000000.00000002.2050289009.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Gv10VZCeN7.exe, 00000000.00000002.2050289009.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kedProgram Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:09 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:59 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 11:00:05 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 23:31:02 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:00 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:12 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 10:12:25 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:45 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:26:19 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:58 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:06:28 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:17:43 - Program Manager
Source: Gv10VZCeN7.exe, Discord.exe.2.dr, Notepad.exe.2.dr, Explower.exe7.2.dr, Explower.exe2.2.dr, Explower.exe5.2.dr, Explower.exe4.2.dr, Explower.exe0.2.dr, 364d88128926b2e822553333b20c197fWindows Update.exe.2.dr, Explower.exe8.2.dr, Umbrella.flv.exe.2.dr	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: Gv10VZCeN7.exe, 00000000.00000002.2050647648.000000000505B000.00000004.00000010.00020000.00000000.sdmp, Discord.exe, 0000000E.00000002.2315852377.00000000052FB000.00000004.00000010.00020000.00000000.sdmp, Explower.exe, 0000000F.00000002.2407959456.00000000054BB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: dProgram Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:05 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:26:41 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 19:35:03 - Program Manager
Source: Gv10VZCeN7.exe, Discord.exe.2.dr, Notepad.exe.2.dr, Explower.exe7.2.dr, Explower.exe2.2.dr, Explower.exe5.2.dr, Explower.exe4.2.dr, Explower.exe0.2.dr, 364d88128926b2e822553333b20c197fWindows Update.exe.2.dr, Explower.exe8.2.dr, Umbrella.flv.exe.2.dr	Binary or memory string: Shell_TrayWnd
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:13 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:34:14 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:15:22 - Program Manager
Source: Gv10VZCeN7.exe, 00000000.00000002.2050289009.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:01 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:09 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:11 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:50 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 10:05:56 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:47 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:25:06 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 11:54:24 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 19:35:18 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:22:57 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 00:25:55 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:14 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 00:48:23 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 18:26:52 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/14 \| 16:32:22 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:28 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/12 \| 11:50:49 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:23:08 - Program Manager
Source: server.exe, 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25/01/11 \| 22:24:54 - Program Manager

Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\server.exe

Code function: 2_2_00CDA5EE GetUserNameW,

2_2_00CDA5EE

Source: C:\Users\user\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\server.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Disables zone checking for all users

Source: C:\Users\user\server.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: Gv10VZCeN7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Gv10VZCeN7.exe PID: 4208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5252, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: Gv10VZCeN7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Gv10VZCeN7.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Gv10VZCeN7.exe PID: 4208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5252, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Explower.exe, type: DROPPED
Source: Yara match	File source: C:\Notepad.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	142 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	12 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Gv10VZCeN7.exe	71%	Virustotal		Browse
Gv10VZCeN7.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
Gv10VZCeN7.exe	100%	Avira	TR/Dropper.Gen
Gv10VZCeN7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	100%	Avira	TR/Dropper.Gen
C:\Notepad.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Umbrella.flv.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\server.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files (x86)\Explower.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	100%	Joe Sandbox ML
C:\Notepad.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Umbrella.flv.exe	100%	Joe Sandbox ML
C:\Users\user\server.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Notepad.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Notepad.exe	71%	Virustotal		Browse
C:\Program Files (x86)\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Program Files (x86)\Explower.exe	71%	Virustotal		Browse
C:\Umbrella.flv.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Umbrella.flv.exe	71%	Virustotal		Browse
C:\Users\user\AppData\Local\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Explower.exe	71%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\Desktop\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\Documents\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\Favorites\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Users\user\server.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
C:\Windows\SysWOW64\Explower.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT

Name	Source	Malicious	Reputation
http://go.microsoft.	server.exe, 00000002.00000002.4479035775.0000000000E17000.00000004.00000020.00020000.00000000.sdmp	false	high
http://go.microsoft.LinkId=42127	server.exe, 00000002.00000002.4479035775.0000000000E17000.00000004.00000020.00020000.00000000.sdmp	false	high
http://go.micros	Explower.exe, 0000000F.00000002.2385063463.00000000010EE000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.215.236.227	unknown	Germany		10753	LVLT-10753US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589384
Start date and time:	2025-01-12 04:21:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Gv10VZCeN7.exe renamed because original name is a hash value
Original Sample Name:	1ed0c2e213e674c8a95694c9e19361c7.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.evad.winEXE@16/24@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 173 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:22:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe
04:22:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe
04:22:24	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
22:22:44	API Interceptor	130885x Sleep call for process: server.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LVLT-10753US	http://trustwallet.secure-configure.com/trst.php	Get hash	malicious	Unknown	Browse	178.215.224.142
	https://trustwallet.secure-configure.com/trst.php/	Get hash	malicious	Unknown	Browse	178.215.224.142
	mhPGrMEkjq.exe	Get hash	malicious	Njrat	Browse	178.215.224.223
	fqkjei686.elf	Get hash	malicious	Unknown	Browse	178.215.238.112
	wrjkngh4.elf	Get hash	malicious	Unknown	Browse	178.215.238.112
	vevhea4.elf	Get hash	malicious	Unknown	Browse	178.215.238.112
	qbfwdbg.elf	Get hash	malicious	Unknown	Browse	178.215.238.112
	wlw68k.elf	Get hash	malicious	Unknown	Browse	178.215.238.112
	ivwebcda7.elf	Get hash	malicious	Mirai	Browse	178.215.238.112
	fbhervbhsl.elf	Get hash	malicious	Unknown	Browse	178.215.238.112

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Notepad.exe, Author: unknown Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Notepad.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Notepad.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Notepad.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Notepad.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Notepad.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Notepad.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Notepad.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Notepad.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Program Files (x86)\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Program Files (x86)\Explower.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Umbrella.flv.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Umbrella.flv.exe, Author: Florian Roth Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Umbrella.flv.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Umbrella.flv.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Umbrella.flv.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Umbrella.flv.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Umbrella.flv.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 71%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 71%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\364d88128926b2e822553333b20c197fWindows Update.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Discord.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Gv10VZCeN7.exe.log

Download File

Process:	C:\Users\user\Desktop\Gv10VZCeN7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Florian Roth Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: JPCERT/CC Incident Response Group Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\app

Download File

Process:	C:\Users\user\Desktop\Gv10VZCeN7.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:yn:yn
MD5:	24E9E7D7EEA4DE90C8FC67AE1145ABF2
SHA1:	DD9BB46CCC6340CA892CF17EBE32B9BDBADEE2D1
SHA-256:	BD6C1D15579254E8879ADA07376F93CB2E959F45670374892FDE2EFAF4194F6C
SHA-512:	5572AFD61C7BA666515A987F23AD0A05AB753BDC28CFA492ADB30200207427A4A38699D3B7981E0750414775A4CE72A209511951D38A8673C709B08774FCA01F
Malicious:	false
Preview:	.11

C:\Users\user\Desktop\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\Documents\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\Favorites\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\server.exe

Download File

Process:	C:\Users\user\Desktop\Gv10VZCeN7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\server.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\server.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\server.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\server.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Windows\SysWOW64\Explower.exe

Download File

Process:	C:\Users\user\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.562169391138688
Encrypted:	false
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
MD5:	1ED0C2E213E674C8A95694C9E19361C7
SHA1:	05446E3404B3171264FC344BF4013EB8EA2CF740
SHA-256:	6DFE16F82116F1537EFCAC4F015247D28339062BCBAA7FC75C9486CAA76A9D0D
SHA-512:	381FD14B550674D0214D75D203264947078D874AFA91122BFAD5FB96C3A523FDDF1DCCD6C69E46C6590CA1AB9025A647E253188E7B9927F0BAAB8BB199C1D9C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\autorun.inf

Download File

Process:	C:\Users\user\server.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.474554204780528
Encrypted:	false
SSDEEP:	3:It1KV2PHQCyK0x:e1KAwCyD
MD5:	40B1630BE21F39CB17BD1963CAE5A207
SHA1:	63C14BD151D42820DD45C033363FA5B9E1D34124
SHA-256:	F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1
SHA-512:	833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926
Malicious:	true
Preview:	[autorun]..open=C:\Umbrella.flv.exe..shellexecute=C:\..

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.562169391138688
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Gv10VZCeN7.exe
File size:	95'232 bytes
MD5:	1ed0c2e213e674c8a95694c9e19361c7
SHA1:	05446e3404b3171264fc344bf4013eb8ea2cf740
SHA256:	6dfe16f82116f1537efcac4f015247d28339062bcbaa7fc75c9486caa76a9d0d
SHA512:	381fd14b550674d0214d75d203264947078d874afa91122bfad5fb96c3a523fddf1dccd6c69e46c6590ca1ab9025a647e253188e7b9927f0baab8bb199c1d9c7
SSDEEP:	768:/Y34G/jglPPMJI08+EyrERm9hX+JlwA461mXxrjEtCdnl2pi1Rz4Rk3qsGdpYgS7:RG7gdQ8+f4mXpA4tjEwzGi1dDGDYgS
TLSH:	6E93D74977E53524E0BF56F79871F2004E34B48B1642E39D59F219AA0A33AC44F89FEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x418f0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677F008F [Wed Jan 8 22:47:43 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18eb8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16f14	0x17000	f17c069cea94517b5c4994ec1a696fbc	False	0.367919921875	data	5.593952565869325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	26def8a0407cc7078ce41b7ef703298e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T04:22:10.317562+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49704	178.215.236.227	4411	TCP
2025-01-12T04:22:10.317562+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49704	178.215.236.227	4411	TCP
2025-01-12T04:22:12.511500+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49705	178.215.236.227	4411	TCP
2025-01-12T04:22:12.511500+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49705	178.215.236.227	4411	TCP
2025-01-12T04:22:15.072271+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49706	178.215.236.227	4411	TCP
2025-01-12T04:22:15.072271+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49706	178.215.236.227	4411	TCP
2025-01-12T04:22:17.754342+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49707	178.215.236.227	4411	TCP
2025-01-12T04:22:17.754342+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49707	178.215.236.227	4411	TCP
2025-01-12T04:22:20.231848+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49709	178.215.236.227	4411	TCP
2025-01-12T04:22:20.231848+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49709	178.215.236.227	4411	TCP
2025-01-12T04:22:22.826585+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49718	178.215.236.227	4411	TCP
2025-01-12T04:22:22.826585+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49718	178.215.236.227	4411	TCP
2025-01-12T04:22:25.506261+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49735	178.215.236.227	4411	TCP
2025-01-12T04:22:25.506261+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49735	178.215.236.227	4411	TCP
2025-01-12T04:22:28.059981+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49748	178.215.236.227	4411	TCP
2025-01-12T04:22:28.059981+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49748	178.215.236.227	4411	TCP
2025-01-12T04:22:30.603246+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49762	178.215.236.227	4411	TCP
2025-01-12T04:22:30.603246+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49762	178.215.236.227	4411	TCP
2025-01-12T04:22:33.234000+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49777	178.215.236.227	4411	TCP
2025-01-12T04:22:33.234000+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49777	178.215.236.227	4411	TCP
2025-01-12T04:22:36.251465+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49788	178.215.236.227	4411	TCP
2025-01-12T04:22:36.251465+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49788	178.215.236.227	4411	TCP
2025-01-12T04:22:38.738651+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49803	178.215.236.227	4411	TCP
2025-01-12T04:22:38.738651+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49803	178.215.236.227	4411	TCP
2025-01-12T04:22:41.166350+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49819	178.215.236.227	4411	TCP
2025-01-12T04:22:41.166350+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49819	178.215.236.227	4411	TCP
2025-01-12T04:22:44.124554+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49833	178.215.236.227	4411	TCP
2025-01-12T04:22:44.124554+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49833	178.215.236.227	4411	TCP
2025-01-12T04:22:44.336896+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	49833	178.215.236.227	4411	TCP
2025-01-12T04:22:46.687172+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49849	178.215.236.227	4411	TCP
2025-01-12T04:22:46.687172+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49849	178.215.236.227	4411	TCP
2025-01-12T04:22:49.359495+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49865	178.215.236.227	4411	TCP
2025-01-12T04:22:49.359495+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49865	178.215.236.227	4411	TCP
2025-01-12T04:22:51.988044+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49881	178.215.236.227	4411	TCP
2025-01-12T04:22:51.988044+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49881	178.215.236.227	4411	TCP
2025-01-12T04:22:54.490093+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49897	178.215.236.227	4411	TCP
2025-01-12T04:22:54.490093+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49897	178.215.236.227	4411	TCP
2025-01-12T04:22:57.104085+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49910	178.215.236.227	4411	TCP
2025-01-12T04:22:57.104085+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49910	178.215.236.227	4411	TCP
2025-01-12T04:22:59.603584+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49928	178.215.236.227	4411	TCP
2025-01-12T04:22:59.603584+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49928	178.215.236.227	4411	TCP
2025-01-12T04:23:02.417591+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49943	178.215.236.227	4411	TCP
2025-01-12T04:23:02.417591+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49943	178.215.236.227	4411	TCP
2025-01-12T04:23:02.554734+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	49943	178.215.236.227	4411	TCP
2025-01-12T04:23:04.962457+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49962	178.215.236.227	4411	TCP
2025-01-12T04:23:04.962457+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49962	178.215.236.227	4411	TCP
2025-01-12T04:23:07.510300+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49978	178.215.236.227	4411	TCP
2025-01-12T04:23:07.510300+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49978	178.215.236.227	4411	TCP
2025-01-12T04:23:10.072428+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49991	178.215.236.227	4411	TCP
2025-01-12T04:23:10.072428+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49991	178.215.236.227	4411	TCP
2025-01-12T04:23:12.635465+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49998	178.215.236.227	4411	TCP
2025-01-12T04:23:12.635465+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49998	178.215.236.227	4411	TCP
2025-01-12T04:23:15.205821+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	49999	178.215.236.227	4411	TCP
2025-01-12T04:23:15.205821+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	49999	178.215.236.227	4411	TCP
2025-01-12T04:23:18.154861+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50000	178.215.236.227	4411	TCP
2025-01-12T04:23:18.154861+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50000	178.215.236.227	4411	TCP
2025-01-12T04:23:20.340859+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50001	178.215.236.227	4411	TCP
2025-01-12T04:23:20.340859+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50001	178.215.236.227	4411	TCP
2025-01-12T04:23:22.919125+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50002	178.215.236.227	4411	TCP
2025-01-12T04:23:22.919125+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50002	178.215.236.227	4411	TCP
2025-01-12T04:23:25.484397+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50003	178.215.236.227	4411	TCP
2025-01-12T04:23:25.484397+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50003	178.215.236.227	4411	TCP
2025-01-12T04:23:28.041838+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50004	178.215.236.227	4411	TCP
2025-01-12T04:23:28.041838+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50004	178.215.236.227	4411	TCP
2025-01-12T04:23:31.278781+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50005	178.215.236.227	4411	TCP
2025-01-12T04:23:31.278781+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50005	178.215.236.227	4411	TCP
2025-01-12T04:23:33.978208+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50006	178.215.236.227	4411	TCP
2025-01-12T04:23:33.978208+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50006	178.215.236.227	4411	TCP
2025-01-12T04:23:36.543124+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50007	178.215.236.227	4411	TCP
2025-01-12T04:23:36.543124+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50007	178.215.236.227	4411	TCP
2025-01-12T04:23:39.101567+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50008	178.215.236.227	4411	TCP
2025-01-12T04:23:39.101567+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50008	178.215.236.227	4411	TCP
2025-01-12T04:23:41.689312+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50009	178.215.236.227	4411	TCP
2025-01-12T04:23:41.689312+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50009	178.215.236.227	4411	TCP
2025-01-12T04:23:44.251176+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50010	178.215.236.227	4411	TCP
2025-01-12T04:23:44.251176+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50010	178.215.236.227	4411	TCP
2025-01-12T04:23:46.812129+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50011	178.215.236.227	4411	TCP
2025-01-12T04:23:46.812129+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50011	178.215.236.227	4411	TCP
2025-01-12T04:23:53.779714+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50012	178.215.236.227	4411	TCP
2025-01-12T04:23:53.779714+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50012	178.215.236.227	4411	TCP
2025-01-12T04:23:57.470603+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50013	178.215.236.227	4411	TCP
2025-01-12T04:23:57.470603+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50013	178.215.236.227	4411	TCP
2025-01-12T04:23:59.969035+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50014	178.215.236.227	4411	TCP
2025-01-12T04:23:59.969035+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50014	178.215.236.227	4411	TCP
2025-01-12T04:24:04.229677+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50015	178.215.236.227	4411	TCP
2025-01-12T04:24:04.229677+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50015	178.215.236.227	4411	TCP
2025-01-12T04:24:07.185304+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50016	178.215.236.227	4411	TCP
2025-01-12T04:24:07.185304+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50016	178.215.236.227	4411	TCP
2025-01-12T04:24:09.747641+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50017	178.215.236.227	4411	TCP
2025-01-12T04:24:09.747641+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50017	178.215.236.227	4411	TCP
2025-01-12T04:24:12.332065+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50018	178.215.236.227	4411	TCP
2025-01-12T04:24:12.332065+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50018	178.215.236.227	4411	TCP
2025-01-12T04:24:14.897831+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50019	178.215.236.227	4411	TCP
2025-01-12T04:24:14.897831+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50019	178.215.236.227	4411	TCP
2025-01-12T04:24:17.453736+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50020	178.215.236.227	4411	TCP
2025-01-12T04:24:17.453736+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50020	178.215.236.227	4411	TCP
2025-01-12T04:24:33.213631+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50021	178.215.236.227	4411	TCP
2025-01-12T04:24:33.213631+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50021	178.215.236.227	4411	TCP
2025-01-12T04:24:36.525406+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50022	178.215.236.227	4411	TCP
2025-01-12T04:24:36.525406+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50022	178.215.236.227	4411	TCP
2025-01-12T04:24:36.625895+0100	2825564	ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)	1	192.168.2.5	50022	178.215.236.227	4411	TCP
2025-01-12T04:24:39.348273+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50023	178.215.236.227	4411	TCP
2025-01-12T04:24:39.348273+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50023	178.215.236.227	4411	TCP
2025-01-12T04:24:42.096740+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50024	178.215.236.227	4411	TCP
2025-01-12T04:24:42.096740+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50024	178.215.236.227	4411	TCP
2025-01-12T04:24:44.649120+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50025	178.215.236.227	4411	TCP
2025-01-12T04:24:44.649120+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50025	178.215.236.227	4411	TCP
2025-01-12T04:24:49.227274+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50026	178.215.236.227	4411	TCP
2025-01-12T04:24:49.227274+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50026	178.215.236.227	4411	TCP
2025-01-12T04:24:51.818623+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50027	178.215.236.227	4411	TCP
2025-01-12T04:24:51.818623+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50027	178.215.236.227	4411	TCP
2025-01-12T04:24:54.526103+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50028	178.215.236.227	4411	TCP
2025-01-12T04:24:54.526103+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50028	178.215.236.227	4411	TCP
2025-01-12T04:24:57.084418+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50029	178.215.236.227	4411	TCP
2025-01-12T04:24:57.084418+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50029	178.215.236.227	4411	TCP
2025-01-12T04:24:59.727935+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50030	178.215.236.227	4411	TCP
2025-01-12T04:24:59.727935+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50030	178.215.236.227	4411	TCP
2025-01-12T04:25:02.294495+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50031	178.215.236.227	4411	TCP
2025-01-12T04:25:02.294495+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50031	178.215.236.227	4411	TCP
2025-01-12T04:25:04.838352+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50032	178.215.236.227	4411	TCP
2025-01-12T04:25:04.838352+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50032	178.215.236.227	4411	TCP
2025-01-12T04:25:07.566773+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50033	178.215.236.227	4411	TCP
2025-01-12T04:25:07.566773+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50033	178.215.236.227	4411	TCP
2025-01-12T04:25:10.058312+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50034	178.215.236.227	4411	TCP
2025-01-12T04:25:10.058312+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50034	178.215.236.227	4411	TCP
2025-01-12T04:25:12.650832+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50035	178.215.236.227	4411	TCP
2025-01-12T04:25:12.650832+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50035	178.215.236.227	4411	TCP
2025-01-12T04:25:17.174700+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50036	178.215.236.227	4411	TCP
2025-01-12T04:25:17.174700+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50036	178.215.236.227	4411	TCP
2025-01-12T04:25:21.035332+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50037	178.215.236.227	4411	TCP
2025-01-12T04:25:21.035332+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50037	178.215.236.227	4411	TCP
2025-01-12T04:25:23.089087+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50038	178.215.236.227	4411	TCP
2025-01-12T04:25:23.089087+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50038	178.215.236.227	4411	TCP
2025-01-12T04:25:25.667622+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50039	178.215.236.227	4411	TCP
2025-01-12T04:25:25.667622+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50039	178.215.236.227	4411	TCP
2025-01-12T04:25:28.200676+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50040	178.215.236.227	4411	TCP
2025-01-12T04:25:28.200676+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50040	178.215.236.227	4411	TCP
2025-01-12T04:25:30.746919+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50041	178.215.236.227	4411	TCP
2025-01-12T04:25:30.746919+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50041	178.215.236.227	4411	TCP
2025-01-12T04:25:33.299500+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50042	178.215.236.227	4411	TCP
2025-01-12T04:25:33.299500+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50042	178.215.236.227	4411	TCP
2025-01-12T04:25:35.854273+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50043	178.215.236.227	4411	TCP
2025-01-12T04:25:35.854273+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50043	178.215.236.227	4411	TCP
2025-01-12T04:25:38.549790+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50044	178.215.236.227	4411	TCP
2025-01-12T04:25:38.549790+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50044	178.215.236.227	4411	TCP
2025-01-12T04:25:41.103550+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50045	178.215.236.227	4411	TCP
2025-01-12T04:25:41.103550+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50045	178.215.236.227	4411	TCP
2025-01-12T04:25:44.495051+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50046	178.215.236.227	4411	TCP
2025-01-12T04:25:44.495051+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50046	178.215.236.227	4411	TCP
2025-01-12T04:25:46.839517+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50047	178.215.236.227	4411	TCP
2025-01-12T04:25:46.839517+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50047	178.215.236.227	4411	TCP
2025-01-12T04:25:49.475532+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50048	178.215.236.227	4411	TCP
2025-01-12T04:25:49.475532+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50048	178.215.236.227	4411	TCP
2025-01-12T04:25:52.010916+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50049	178.215.236.227	4411	TCP
2025-01-12T04:25:52.010916+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50049	178.215.236.227	4411	TCP
2025-01-12T04:25:54.560745+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50050	178.215.236.227	4411	TCP
2025-01-12T04:25:54.560745+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50050	178.215.236.227	4411	TCP
2025-01-12T04:25:57.426206+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50051	178.215.236.227	4411	TCP
2025-01-12T04:25:57.426206+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50051	178.215.236.227	4411	TCP
2025-01-12T04:26:03.371823+0100	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	1	192.168.2.5	50052	178.215.236.227	4411	TCP
2025-01-12T04:26:03.371823+0100	2021176	ET MALWARE Bladabindi/njRAT CnC Command (ll)	1	192.168.2.5	50052	178.215.236.227	4411	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 04:22:09.215831041 CET	49704	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:09.220699072 CET	4411	49704	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:09.220782042 CET	49704	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:10.317562103 CET	49704	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:10.322446108 CET	4411	49704	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:10.322499990 CET	49704	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:10.327349901 CET	4411	49704	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:10.498131990 CET	4411	49704	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:10.498219967 CET	49704	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:12.505119085 CET	49704	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:12.505661964 CET	49705	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:12.510060072 CET	4411	49704	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:12.510546923 CET	4411	49705	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:12.510616064 CET	49705	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:12.511499882 CET	49705	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:12.516314983 CET	4411	49705	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:12.516390085 CET	49705	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:12.521223068 CET	4411	49705	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:13.058293104 CET	4411	49705	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:13.058362961 CET	49705	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:15.066328049 CET	49705	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:15.066636086 CET	49706	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:15.071276903 CET	4411	49705	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:15.071619987 CET	4411	49706	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:15.071690083 CET	49706	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:15.072271109 CET	49706	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:15.077066898 CET	4411	49706	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:15.077172995 CET	49706	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:15.082099915 CET	4411	49706	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:15.644804955 CET	4411	49706	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:15.645006895 CET	49706	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:17.660115004 CET	49706	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:17.660501957 CET	49707	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:17.665139914 CET	4411	49706	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:17.665467978 CET	4411	49707	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:17.665544987 CET	49707	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:17.754342079 CET	49707	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:17.759270906 CET	4411	49707	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:17.759362936 CET	49707	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:17.764223099 CET	4411	49707	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:18.207875967 CET	4411	49707	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:18.207976103 CET	49707	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:20.225836039 CET	49707	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:20.226207972 CET	49709	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:20.230838060 CET	4411	49707	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:20.231093884 CET	4411	49709	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:20.231168032 CET	49709	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:20.231848001 CET	49709	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:20.237976074 CET	4411	49709	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:20.238032103 CET	49709	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:20.244299889 CET	4411	49709	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:20.797812939 CET	4411	49709	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:20.797894001 CET	49709	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:22.802544117 CET	49709	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:22.807061911 CET	49718	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:22.807437897 CET	4411	49709	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:22.811961889 CET	4411	49718	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:22.814246893 CET	49718	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:22.826585054 CET	49718	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:22.831479073 CET	4411	49718	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:22.831576109 CET	49718	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:22.836410999 CET	4411	49718	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:23.347913980 CET	4411	49718	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:23.348191977 CET	49718	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:25.364461899 CET	49718	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:25.462040901 CET	49735	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:25.505347013 CET	4411	49718	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:25.505384922 CET	4411	49735	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:25.505506992 CET	49735	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:25.506261110 CET	49735	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:25.511121035 CET	4411	49735	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:25.511190891 CET	49735	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:25.516067028 CET	4411	49735	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:26.040642023 CET	4411	49735	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:26.040976048 CET	49735	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:28.054176092 CET	49735	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:28.054460049 CET	49748	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:28.059274912 CET	4411	49735	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:28.059387922 CET	4411	49748	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:28.059473038 CET	49748	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:28.059981108 CET	49748	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:28.064980984 CET	4411	49748	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:28.065059900 CET	49748	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:28.069948912 CET	4411	49748	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:28.592772007 CET	4411	49748	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:28.592914104 CET	49748	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:30.597666979 CET	49748	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:30.597815037 CET	49762	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:30.602622986 CET	4411	49748	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:30.602762938 CET	4411	49762	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:30.602835894 CET	49762	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:30.603245974 CET	49762	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:30.608180046 CET	4411	49762	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:30.608238935 CET	49762	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:30.613111019 CET	4411	49762	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:31.182575941 CET	4411	49762	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:31.182665110 CET	49762	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:33.227807045 CET	49762	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:33.228209019 CET	49777	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:33.232760906 CET	4411	49762	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:33.233186960 CET	4411	49777	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:33.233256102 CET	49777	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:33.233999968 CET	49777	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:33.238907099 CET	4411	49777	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:33.238981962 CET	49777	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:33.243872881 CET	4411	49777	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:33.766398907 CET	4411	49777	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:33.766532898 CET	49777	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:35.770684004 CET	49777	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:35.776849985 CET	4411	49777	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:35.879654884 CET	49788	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:35.884785891 CET	4411	49788	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:35.888272047 CET	49788	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:36.251465082 CET	49788	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:36.257498026 CET	4411	49788	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:36.257591963 CET	49788	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:36.263216972 CET	4411	49788	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:36.425365925 CET	4411	49788	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:36.425427914 CET	49788	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:38.427937031 CET	49788	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:38.432966948 CET	4411	49788	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:38.473041058 CET	49803	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:38.477916002 CET	4411	49803	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:38.478049994 CET	49803	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:38.738651037 CET	49803	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:38.743694067 CET	4411	49803	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:38.744613886 CET	49803	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:38.749567032 CET	4411	49803	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:39.014867067 CET	4411	49803	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:39.015157938 CET	49803	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:41.064457893 CET	49803	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:41.156157970 CET	4411	49803	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:41.160567999 CET	49819	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:41.165467024 CET	4411	49819	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:41.165554047 CET	49819	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:41.166349888 CET	49819	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:41.171457052 CET	4411	49819	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:41.171560049 CET	49819	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:41.176552057 CET	4411	49819	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:41.717380047 CET	4411	49819	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:41.720079899 CET	49819	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:44.117413044 CET	49819	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:44.117649078 CET	49833	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:44.123944998 CET	4411	49819	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:44.123965025 CET	4411	49833	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:44.124059916 CET	49833	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:44.124553919 CET	49833	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:44.130636930 CET	4411	49833	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:44.131083965 CET	49833	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:44.137294054 CET	4411	49833	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:44.336895943 CET	49833	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:44.341799021 CET	4411	49833	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:44.671927929 CET	4411	49833	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:44.672054052 CET	49833	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:46.679642916 CET	49833	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:46.680176020 CET	49849	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:46.685581923 CET	4411	49833	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:46.686254978 CET	4411	49849	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:46.686328888 CET	49849	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:46.687171936 CET	49849	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:46.693038940 CET	4411	49849	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:46.693118095 CET	49849	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:46.699062109 CET	4411	49849	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:47.219727993 CET	4411	49849	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:47.219832897 CET	49849	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:49.353457928 CET	49849	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:49.354029894 CET	49865	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:49.358319044 CET	4411	49849	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:49.358969927 CET	4411	49865	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:49.359040022 CET	49865	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:49.359494925 CET	49865	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:49.364316940 CET	4411	49865	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:49.364367008 CET	49865	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:49.369169950 CET	4411	49865	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:49.885266066 CET	4411	49865	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:49.887495995 CET	49865	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:51.894584894 CET	49865	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:51.894840002 CET	49881	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:51.899470091 CET	4411	49865	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:51.899704933 CET	4411	49881	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:51.899782896 CET	49881	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:51.988044024 CET	49881	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:51.992940903 CET	4411	49881	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:51.993035078 CET	49881	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:51.998226881 CET	4411	49881	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:52.426860094 CET	4411	49881	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:52.426939964 CET	49881	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:54.444365025 CET	49881	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:54.449522018 CET	4411	49881	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:54.484415054 CET	49897	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:54.489588022 CET	4411	49897	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:54.489665985 CET	49897	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:54.490092993 CET	49897	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:54.495007992 CET	4411	49897	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:54.495074034 CET	49897	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:54.499965906 CET	4411	49897	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:55.023658991 CET	4411	49897	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:55.023811102 CET	49897	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:57.035195112 CET	49897	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:57.035362959 CET	49910	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:57.040139914 CET	4411	49897	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:57.040354013 CET	4411	49910	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:57.040442944 CET	49910	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:57.104084969 CET	49910	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:57.108998060 CET	4411	49910	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:57.109189034 CET	49910	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:57.114094973 CET	4411	49910	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:57.581939936 CET	4411	49910	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:57.582075119 CET	49910	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:59.597599030 CET	49910	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:59.597915888 CET	49928	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:59.602461100 CET	4411	49910	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:59.602812052 CET	4411	49928	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:59.602876902 CET	49928	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:59.603584051 CET	49928	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:59.608387947 CET	4411	49928	178.215.236.227	192.168.2.5
Jan 12, 2025 04:22:59.608444929 CET	49928	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:22:59.613306046 CET	4411	49928	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:00.135992050 CET	4411	49928	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:00.136073112 CET	49928	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:02.145411968 CET	49928	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:02.150507927 CET	4411	49928	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:02.411813974 CET	49943	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:02.417097092 CET	4411	49943	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:02.417196989 CET	49943	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:02.417591095 CET	49943	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:02.422642946 CET	4411	49943	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:02.422724962 CET	49943	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:02.427717924 CET	4411	49943	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:02.554733992 CET	49943	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:02.562235117 CET	4411	49943	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:02.950494051 CET	4411	49943	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:02.950589895 CET	49943	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:04.956983089 CET	49943	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:04.957237959 CET	49962	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:04.961859941 CET	4411	49943	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:04.962008953 CET	4411	49962	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:04.962064981 CET	49962	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:04.962456942 CET	49962	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:04.967262983 CET	4411	49962	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:04.967324972 CET	49962	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:04.972115993 CET	4411	49962	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:05.503338099 CET	4411	49962	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:05.503405094 CET	49962	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:07.503793955 CET	49962	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:07.504128933 CET	49978	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:07.509397984 CET	4411	49962	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:07.509733915 CET	4411	49978	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:07.509804010 CET	49978	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:07.510299921 CET	49978	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:07.515338898 CET	4411	49978	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:07.515388012 CET	49978	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:07.520958900 CET	4411	49978	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:08.063499928 CET	4411	49978	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:08.063580990 CET	49978	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:10.066348076 CET	49978	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:10.066715956 CET	49991	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:10.071188927 CET	4411	49978	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:10.071614981 CET	4411	49991	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:10.071680069 CET	49991	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:10.072427988 CET	49991	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:10.077220917 CET	4411	49991	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:10.077279091 CET	49991	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:10.082206964 CET	4411	49991	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:10.620455980 CET	4411	49991	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:10.620863914 CET	49991	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:12.628798008 CET	49991	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:12.629095078 CET	49998	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:12.634834051 CET	4411	49991	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:12.634872913 CET	4411	49998	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:12.634960890 CET	49998	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:12.635464907 CET	49998	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:12.640360117 CET	4411	49998	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:12.644273043 CET	49998	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:12.649152994 CET	4411	49998	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:13.186903954 CET	4411	49998	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:13.186976910 CET	49998	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:15.198056936 CET	49998	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:15.198481083 CET	49999	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:15.203100920 CET	4411	49998	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:15.203382015 CET	4411	49999	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:15.203459024 CET	49999	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:15.205821037 CET	49999	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:15.210685968 CET	4411	49999	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:15.210752010 CET	49999	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:15.215686083 CET	4411	49999	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:15.755958080 CET	4411	49999	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:15.756046057 CET	49999	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:17.775696993 CET	49999	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:17.776067019 CET	50000	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:17.780702114 CET	4411	49999	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:17.781023979 CET	4411	50000	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:17.781106949 CET	50000	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:18.154860973 CET	50000	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:18.159966946 CET	4411	50000	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:18.160043955 CET	50000	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:18.164984941 CET	4411	50000	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:18.315838099 CET	4411	50000	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:18.315920115 CET	50000	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:20.334608078 CET	50000	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:20.335134029 CET	50001	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:20.339641094 CET	4411	50000	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:20.339951038 CET	4411	50001	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:20.340014935 CET	50001	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:20.340858936 CET	50001	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:20.345787048 CET	4411	50001	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:20.345875025 CET	50001	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:20.350780964 CET	4411	50001	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:20.879611015 CET	4411	50001	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:20.879722118 CET	50001	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:22.913203955 CET	50001	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:22.913559914 CET	50002	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:22.918232918 CET	4411	50001	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:22.918525934 CET	4411	50002	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:22.918654919 CET	50002	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:22.919125080 CET	50002	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:22.923995018 CET	4411	50002	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:23.019480944 CET	50002	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:23.024600029 CET	4411	50002	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:23.467830896 CET	4411	50002	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:23.467978954 CET	50002	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:25.478514910 CET	50002	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:25.478878021 CET	50003	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:25.483572006 CET	4411	50002	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:25.483834028 CET	4411	50003	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:25.483911991 CET	50003	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:25.484396935 CET	50003	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:25.489316940 CET	4411	50003	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:25.489382029 CET	50003	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:25.494304895 CET	4411	50003	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:26.021096945 CET	4411	50003	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:26.021200895 CET	50003	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:28.035700083 CET	50003	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:28.036062956 CET	50004	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:28.040709019 CET	4411	50003	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:28.040996075 CET	4411	50004	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:28.041069984 CET	50004	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:28.041837931 CET	50004	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:28.046688080 CET	4411	50004	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:28.046749115 CET	50004	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:28.051492929 CET	4411	50004	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:28.574444056 CET	4411	50004	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:28.574562073 CET	50004	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:30.584554911 CET	50004	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:30.589700937 CET	4411	50004	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:31.272125959 CET	50005	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:31.277127028 CET	4411	50005	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:31.277220011 CET	50005	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:31.278780937 CET	50005	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:31.284322977 CET	4411	50005	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:31.284377098 CET	50005	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:31.289366961 CET	4411	50005	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:31.826562881 CET	4411	50005	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:31.826739073 CET	50005	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:33.838089943 CET	50005	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:33.843014002 CET	4411	50005	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:33.972162962 CET	50006	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:33.977535963 CET	4411	50006	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:33.977624893 CET	50006	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:33.978208065 CET	50006	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:33.983087063 CET	4411	50006	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:33.983155012 CET	50006	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:33.988007069 CET	4411	50006	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:34.519449949 CET	4411	50006	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:34.519557953 CET	50006	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:36.537184954 CET	50006	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:36.537524939 CET	50007	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:36.542450905 CET	4411	50006	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:36.542545080 CET	4411	50007	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:36.542622089 CET	50007	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:36.543123960 CET	50007	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:36.548324108 CET	4411	50007	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:36.548398972 CET	50007	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:36.553597927 CET	4411	50007	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:37.070385933 CET	4411	50007	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:37.070461035 CET	50007	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:39.095252991 CET	50007	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:39.095634937 CET	50008	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:39.100296974 CET	4411	50007	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:39.100625992 CET	4411	50008	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:39.100707054 CET	50008	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:39.101567030 CET	50008	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:39.106460094 CET	4411	50008	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:39.106528997 CET	50008	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:39.111418962 CET	4411	50008	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:39.650182962 CET	4411	50008	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:39.650376081 CET	50008	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:41.683509111 CET	50008	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:41.683799982 CET	50009	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:41.688528061 CET	4411	50008	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:41.688747883 CET	4411	50009	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:41.688834906 CET	50009	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:41.689311981 CET	50009	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:41.694169998 CET	4411	50009	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:41.694243908 CET	50009	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:41.699099064 CET	4411	50009	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:42.222345114 CET	4411	50009	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:42.222579956 CET	50009	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:44.245285988 CET	50009	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:44.245544910 CET	50010	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:44.250345945 CET	4411	50009	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:44.250521898 CET	4411	50010	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:44.250600100 CET	50010	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:44.251176119 CET	50010	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:44.255970001 CET	4411	50010	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:44.256040096 CET	50010	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:44.260853052 CET	4411	50010	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:44.799031973 CET	4411	50010	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:44.799108982 CET	50010	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:46.806056976 CET	50010	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:46.806615114 CET	50011	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:46.811084986 CET	4411	50010	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:46.811520100 CET	4411	50011	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:46.811592102 CET	50011	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:46.812129021 CET	50011	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:46.817004919 CET	4411	50011	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:46.817066908 CET	50011	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:46.821947098 CET	4411	50011	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:47.345586061 CET	4411	50011	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:47.345762014 CET	50011	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:49.356126070 CET	50011	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:49.361345053 CET	4411	50011	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:53.773547888 CET	50012	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:53.778708935 CET	4411	50012	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:53.778785944 CET	50012	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:53.779714108 CET	50012	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:53.784545898 CET	4411	50012	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:53.784595966 CET	50012	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:53.789505959 CET	4411	50012	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:54.327991962 CET	4411	50012	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:54.328062057 CET	50012	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:56.340042114 CET	50012	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:56.345145941 CET	4411	50012	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:57.407191038 CET	50013	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:57.413228989 CET	4411	50013	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:57.413392067 CET	50013	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:57.470602989 CET	50013	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:57.475610971 CET	4411	50013	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:57.475708008 CET	50013	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:57.480717897 CET	4411	50013	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:57.949861050 CET	4411	50013	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:57.949954033 CET	50013	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:59.963233948 CET	50013	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:59.963514090 CET	50014	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:59.968504906 CET	4411	50013	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:59.968573093 CET	4411	50014	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:59.968627930 CET	50014	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:59.969034910 CET	50014	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:59.973907948 CET	4411	50014	178.215.236.227	192.168.2.5
Jan 12, 2025 04:23:59.974001884 CET	50014	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:23:59.978924036 CET	4411	50014	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:00.518728018 CET	4411	50014	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:00.518821955 CET	50014	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:02.537487984 CET	50014	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:02.542651892 CET	4411	50014	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:02.547987938 CET	50015	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:02.552923918 CET	4411	50015	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:02.552987099 CET	50015	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:03.103809118 CET	4411	50015	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:03.103969097 CET	50015	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:04.229676962 CET	50015	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:04.234687090 CET	4411	50015	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:07.179852009 CET	50016	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:07.184756041 CET	4411	50016	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:07.184828997 CET	50016	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:07.185303926 CET	50016	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:07.190108061 CET	4411	50016	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:07.190166950 CET	50016	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:07.194924116 CET	4411	50016	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:07.728842020 CET	4411	50016	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:07.728920937 CET	50016	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:09.741767883 CET	50016	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:09.742013931 CET	50017	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:09.746784925 CET	4411	50016	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:09.746997118 CET	4411	50017	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:09.747082949 CET	50017	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:09.747641087 CET	50017	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:09.752494097 CET	4411	50017	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:09.752578974 CET	50017	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:09.757487059 CET	4411	50017	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:10.296240091 CET	4411	50017	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:10.296341896 CET	50017	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:12.325805902 CET	50017	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:12.326209068 CET	50018	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:12.330883026 CET	4411	50017	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:12.331235886 CET	4411	50018	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:12.331315041 CET	50018	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:12.332065105 CET	50018	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:12.336930037 CET	4411	50018	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:12.337037086 CET	50018	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:12.341974020 CET	4411	50018	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:12.870764971 CET	4411	50018	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:12.870955944 CET	50018	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:14.892122984 CET	50018	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:14.892400980 CET	50019	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:14.897042036 CET	4411	50018	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:14.897305012 CET	4411	50019	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:14.897417068 CET	50019	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:14.897830963 CET	50019	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:14.902599096 CET	4411	50019	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:14.902652979 CET	50019	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:14.907507896 CET	4411	50019	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:15.425458908 CET	4411	50019	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:15.425703049 CET	50019	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:17.443126917 CET	50019	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:17.443492889 CET	50020	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:17.448286057 CET	4411	50019	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:17.448440075 CET	4411	50020	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:17.448512077 CET	50020	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:17.453736067 CET	50020	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:17.458673954 CET	4411	50020	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:17.458738089 CET	50020	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:17.463556051 CET	4411	50020	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:17.983931065 CET	4411	50020	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:17.984051943 CET	50020	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:20.161073923 CET	50020	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:20.166212082 CET	4411	50020	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:21.278227091 CET	50021	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:21.283453941 CET	4411	50021	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:21.283550978 CET	50021	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:21.817439079 CET	4411	50021	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:21.819390059 CET	50021	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:33.213630915 CET	50021	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:33.218842030 CET	4411	50021	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:36.515795946 CET	50022	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:36.520992994 CET	4411	50022	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:36.524439096 CET	50022	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:36.525405884 CET	50022	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:36.530334949 CET	4411	50022	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:36.530435085 CET	50022	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:36.535383940 CET	4411	50022	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:36.625895023 CET	50022	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:36.630898952 CET	4411	50022	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:37.061184883 CET	4411	50022	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:37.061563969 CET	50022	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:39.342302084 CET	50022	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:39.342677116 CET	50023	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:39.347451925 CET	4411	50022	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:39.347526073 CET	4411	50023	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:39.347624063 CET	50023	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:39.348273039 CET	50023	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:39.353142977 CET	4411	50023	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:39.353223085 CET	50023	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:39.358114958 CET	4411	50023	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:39.897001028 CET	4411	50023	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:39.897135019 CET	50023	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:42.053493977 CET	50023	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:42.058543921 CET	4411	50023	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:42.089004040 CET	50024	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:42.093976021 CET	4411	50024	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:42.094074011 CET	50024	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:42.096740007 CET	50024	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:42.101583958 CET	4411	50024	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:42.101660967 CET	50024	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:42.106569052 CET	4411	50024	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:42.627487898 CET	4411	50024	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:42.627698898 CET	50024	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:44.642911911 CET	50024	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:44.643346071 CET	50025	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:44.647926092 CET	4411	50024	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:44.648341894 CET	4411	50025	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:44.648464918 CET	50025	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:44.649120092 CET	50025	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:44.654006958 CET	4411	50025	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:44.654093027 CET	50025	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:44.658967972 CET	4411	50025	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:45.202896118 CET	4411	50025	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:45.203157902 CET	50025	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:47.329186916 CET	50025	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:47.334279060 CET	4411	50025	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:49.220987082 CET	50026	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:49.226278067 CET	4411	50026	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:49.226409912 CET	50026	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:49.227273941 CET	50026	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:49.232153893 CET	4411	50026	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:49.232259989 CET	50026	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:49.237138987 CET	4411	50026	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:49.772228956 CET	4411	50026	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:49.772393942 CET	50026	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:51.785119057 CET	50026	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:51.785450935 CET	50027	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:51.817737103 CET	4411	50026	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:51.817785025 CET	4411	50027	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:51.817862034 CET	50027	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:51.818623066 CET	50027	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:51.823522091 CET	4411	50027	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:51.823637009 CET	50027	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:51.828599930 CET	4411	50027	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:52.376275063 CET	4411	50027	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:52.376385927 CET	50027	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:54.484756947 CET	50027	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:54.485035896 CET	50028	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:54.490107059 CET	4411	50027	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:54.490149021 CET	4411	50028	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:54.490209103 CET	50028	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:54.526103020 CET	50028	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:54.531210899 CET	4411	50028	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:54.531267881 CET	50028	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:54.536264896 CET	4411	50028	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:55.037904978 CET	4411	50028	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:55.038012981 CET	50028	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:57.078016043 CET	50028	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:57.078454018 CET	50029	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:57.083003998 CET	4411	50028	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:57.083448887 CET	4411	50029	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:57.083530903 CET	50029	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:57.084418058 CET	50029	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:57.089308977 CET	4411	50029	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:57.089446068 CET	50029	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:57.094324112 CET	4411	50029	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:57.617887020 CET	4411	50029	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:57.618094921 CET	50029	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:59.721303940 CET	50029	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:59.721618891 CET	50030	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:59.726670980 CET	4411	50029	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:59.727233887 CET	4411	50030	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:59.727299929 CET	50030	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:59.727935076 CET	50030	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:59.733284950 CET	4411	50030	178.215.236.227	192.168.2.5
Jan 12, 2025 04:24:59.733370066 CET	50030	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:24:59.738159895 CET	4411	50030	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:00.270706892 CET	4411	50030	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:00.270768881 CET	50030	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:02.285058975 CET	50030	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:02.285367966 CET	50031	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:02.293831110 CET	4411	50030	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:02.293853045 CET	4411	50031	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:02.293940067 CET	50031	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:02.294495106 CET	50031	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:02.299344063 CET	4411	50031	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:02.299416065 CET	50031	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:02.304260969 CET	4411	50031	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:02.830430031 CET	4411	50031	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:02.830676079 CET	50031	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:04.832267046 CET	50031	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:04.832514048 CET	50032	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:04.837383032 CET	4411	50031	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:04.837479115 CET	4411	50032	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:04.837557077 CET	50032	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:04.838351965 CET	50032	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:04.843183041 CET	4411	50032	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:04.843267918 CET	50032	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:04.848439932 CET	4411	50032	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:05.387202978 CET	4411	50032	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:05.387298107 CET	50032	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:07.438287020 CET	50032	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:07.443480015 CET	4411	50032	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:07.482682943 CET	50033	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:07.487715006 CET	4411	50033	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:07.487818003 CET	50033	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:07.566772938 CET	50033	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:07.571914911 CET	4411	50033	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:07.571994066 CET	50033	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:07.576936007 CET	4411	50033	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:08.039426088 CET	4411	50033	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:08.039525986 CET	50033	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:10.052290916 CET	50033	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:10.052469015 CET	50034	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:10.057626009 CET	4411	50033	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:10.057670116 CET	4411	50034	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:10.057749033 CET	50034	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:10.058311939 CET	50034	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:10.063200951 CET	4411	50034	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:10.063281059 CET	50034	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:10.068231106 CET	4411	50034	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:10.633301973 CET	4411	50034	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:10.633404016 CET	50034	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:12.644598007 CET	50034	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:12.644946098 CET	50035	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:12.649730921 CET	4411	50034	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:12.649878025 CET	4411	50035	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:12.649957895 CET	50035	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:12.650831938 CET	50035	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:12.655623913 CET	4411	50035	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:12.655698061 CET	50035	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:12.660608053 CET	4411	50035	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:13.187942028 CET	4411	50035	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:13.188163996 CET	50035	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:15.287062883 CET	50035	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:15.292382956 CET	4411	50035	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:17.168960094 CET	50036	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:17.174012899 CET	4411	50036	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:17.174115896 CET	50036	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:17.174700022 CET	50036	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:17.179575920 CET	4411	50036	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:17.179658890 CET	50036	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:17.184534073 CET	4411	50036	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:17.723752975 CET	4411	50036	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:17.723972082 CET	50036	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:19.761908054 CET	50036	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:19.762166023 CET	50037	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:19.766943932 CET	4411	50036	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:19.767080069 CET	4411	50037	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:19.767153025 CET	50037	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:20.309241056 CET	4411	50037	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:20.309309959 CET	50037	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:21.035331964 CET	50037	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:21.041033030 CET	4411	50037	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:23.083003044 CET	50038	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:23.088196993 CET	4411	50038	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:23.088305950 CET	50038	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:23.089087009 CET	50038	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:23.094019890 CET	4411	50038	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:23.094140053 CET	50038	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:23.099080086 CET	4411	50038	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:23.622284889 CET	4411	50038	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:23.622494936 CET	50038	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:25.628880978 CET	50038	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:25.629303932 CET	50039	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:25.634110928 CET	4411	50038	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:25.634311914 CET	4411	50039	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:25.634393930 CET	50039	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:25.667622089 CET	50039	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:25.672529936 CET	4411	50039	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:25.672614098 CET	50039	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:25.677604914 CET	4411	50039	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:26.184647083 CET	4411	50039	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:26.184753895 CET	50039	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:28.194820881 CET	50039	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:28.195122957 CET	50040	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:28.199845076 CET	4411	50039	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:28.200119972 CET	4411	50040	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:28.200212002 CET	50040	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:28.200675964 CET	50040	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:28.205548048 CET	4411	50040	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:28.205667019 CET	50040	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:28.210606098 CET	4411	50040	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:28.737884045 CET	4411	50040	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:28.737970114 CET	50040	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:30.741086960 CET	50040	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:30.741367102 CET	50041	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:30.746176958 CET	4411	50040	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:30.746298075 CET	4411	50041	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:30.746371984 CET	50041	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:30.746918917 CET	50041	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:30.751779079 CET	4411	50041	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:30.751877069 CET	50041	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:30.756752014 CET	4411	50041	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:31.280711889 CET	4411	50041	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:31.280797958 CET	50041	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:33.293019056 CET	50041	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:33.293541908 CET	50042	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:33.298057079 CET	4411	50041	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:33.298552990 CET	4411	50042	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:33.298643112 CET	50042	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:33.299499989 CET	50042	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:33.304296970 CET	4411	50042	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:33.304394007 CET	50042	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:33.309217930 CET	4411	50042	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:33.833637953 CET	4411	50042	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:33.833844900 CET	50042	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:35.847599983 CET	50042	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:35.847889900 CET	50043	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:35.853315115 CET	4411	50042	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:35.853595972 CET	4411	50043	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:35.853686094 CET	50043	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:35.854273081 CET	50043	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:35.859865904 CET	4411	50043	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:35.859937906 CET	50043	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:35.865541935 CET	4411	50043	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:36.410429001 CET	4411	50043	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:36.410535097 CET	50043	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:38.528431892 CET	50043	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:38.533643961 CET	4411	50043	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:38.544204950 CET	50044	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:38.549107075 CET	4411	50044	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:38.549191952 CET	50044	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:38.549789906 CET	50044	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:38.554632902 CET	4411	50044	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:38.554692984 CET	50044	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:38.559595108 CET	4411	50044	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:39.090512991 CET	4411	50044	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:39.090599060 CET	50044	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:41.097585917 CET	50044	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:41.098030090 CET	50045	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:41.102828026 CET	4411	50044	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:41.102984905 CET	4411	50045	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:41.103065014 CET	50045	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:41.103549957 CET	50045	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:41.108437061 CET	4411	50045	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:41.108546972 CET	50045	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:41.113452911 CET	4411	50045	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:41.636621952 CET	4411	50045	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:41.636723995 CET	50045	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:43.644682884 CET	50045	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:43.644915104 CET	50046	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:43.649913073 CET	4411	50045	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:43.649955988 CET	4411	50046	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:43.650022030 CET	50046	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:44.190464973 CET	4411	50046	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:44.190696001 CET	50046	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:44.495050907 CET	50046	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:44.500055075 CET	4411	50046	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:46.538012028 CET	50047	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:46.543023109 CET	4411	50047	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:46.543116093 CET	50047	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:46.839517117 CET	50047	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:46.844681978 CET	4411	50047	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:46.844779968 CET	50047	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:46.849740028 CET	4411	50047	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:47.077794075 CET	4411	50047	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:47.077975988 CET	50047	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:49.083506107 CET	50047	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:49.088643074 CET	4411	50047	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:49.469706059 CET	50048	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:49.474879980 CET	4411	50048	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:49.474984884 CET	50048	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:49.475532055 CET	50048	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:49.480490923 CET	4411	50048	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:49.480566025 CET	50048	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:49.485460043 CET	4411	50048	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:50.001027107 CET	4411	50048	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:50.001112938 CET	50048	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:52.004786968 CET	50048	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:52.005148888 CET	50049	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:52.009910107 CET	4411	50048	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:52.010072947 CET	4411	50049	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:52.010149956 CET	50049	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:52.010915995 CET	50049	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:52.015717030 CET	4411	50049	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:52.016522884 CET	50049	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:52.021399975 CET	4411	50049	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:52.543436050 CET	4411	50049	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:52.546598911 CET	50049	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:54.554687023 CET	50049	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:54.555236101 CET	50050	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:54.559812069 CET	4411	50049	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:54.560242891 CET	4411	50050	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:54.560327053 CET	50050	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:54.560745001 CET	50050	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:54.565623045 CET	4411	50050	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:54.565705061 CET	50050	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:54.570636988 CET	4411	50050	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:55.102514029 CET	4411	50050	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:55.102600098 CET	50050	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:57.181581974 CET	50050	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:57.186892033 CET	4411	50050	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:57.208071947 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:57.213124037 CET	4411	50051	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:57.213231087 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:57.426206112 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:57.431333065 CET	4411	50051	178.215.236.227	192.168.2.5
Jan 12, 2025 04:25:57.431471109 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:25:57.436405897 CET	4411	50051	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:01.361521006 CET	4411	50051	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:01.361567020 CET	4411	50051	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:01.361601114 CET	4411	50051	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:01.361757994 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:01.361757994 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:01.361757994 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:03.363245964 CET	50051	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:03.363775015 CET	50052	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:03.368257999 CET	4411	50051	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:03.368735075 CET	4411	50052	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:03.370651007 CET	50052	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:03.371823072 CET	50052	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:03.376741886 CET	4411	50052	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:03.376791000 CET	50052	4411	192.168.2.5	178.215.236.227
Jan 12, 2025 04:26:03.381688118 CET	4411	50052	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:03.925303936 CET	4411	50052	178.215.236.227	192.168.2.5
Jan 12, 2025 04:26:03.925817013 CET	50052	4411	192.168.2.5	178.215.236.227

Target ID:	0
Start time:	22:21:59
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\Gv10VZCeN7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Gv10VZCeN7.exe"
Imagebase:	0x620000
File size:	95'232 bytes
MD5 hash:	1ED0C2E213E674C8A95694C9E19361C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.2050391420.0000000003CD8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.2026002461.0000000000622000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:22:01
Start date:	11/01/2025
Path:	C:\Users\user\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\server.exe"
Imagebase:	0x7f0000
File size:	95'232 bytes
MD5 hash:	1ED0C2E213E674C8A95694C9E19361C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.4479519622.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\server.exe, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\server.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\server.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\server.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:22:03
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:22:03
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:22:04
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall delete allowedprogram "C:\Users\user\server.exe"
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:22:04
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\server.exe" "server.exe" ENABLE
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:22:04
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:22:04
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:22:14
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe"
Imagebase:	0x1e0000
File size:	95'232 bytes
MD5 hash:	1ED0C2E213E674C8A95694C9E19361C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:22:17
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\364d88128926b2e822553333b20c197fWindows Update.exe"
Imagebase:	0x5d0000
File size:	95'232 bytes
MD5 hash:	1ED0C2E213E674C8A95694C9E19361C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:22:23
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe"
Imagebase:	0x970000
File size:	95'232 bytes
MD5 hash:	1ED0C2E213E674C8A95694C9E19361C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Florian Roth Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Florian Roth Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Sekoia.io Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: Sekoia.io Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: JPCERT/CC Incident Response Group Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:22:33
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
Imagebase:	0xb10000
File size:	95'232 bytes
MD5 hash:	1ED0C2E213E674C8A95694C9E19361C7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 04DF4290 Relevance: 4.4, Strings: 2, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 04DF4C1C
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: @$|t
API String ID: 0-3910548985
Opcode ID: 422d4c47b9b565a858869e3740cccfa4ed238badd60954fa5840460960eeae49
Instruction ID: 9d89c557c26842e426a4bf72691597eb57f3cb8eff06e9f3be0cd63ce9548404
Opcode Fuzzy Hash: 422d4c47b9b565a858869e3740cccfa4ed238badd60954fa5840460960eeae49
Instruction Fuzzy Hash: A7232A74A02228CFDB64EB34DD54BA9B7B2FB48304F1041E9E909A73A5DB359E95CF40

Function 04DF427F Relevance: 4.2, Strings: 2, Instructions: 1746
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 99603e7456a77043bad43ea67559c6ac36a9f343a9f6244cf69399eb7e6293a7
Instruction ID: 7015096a325237e5db033ea26ffff13f7349cce110141d2f82ddf740b2d12746
Opcode Fuzzy Hash: 99603e7456a77043bad43ea67559c6ac36a9f343a9f6244cf69399eb7e6293a7
Instruction Fuzzy Hash: 56131B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041E9E909A73A5DB359E95CF40

Function 04DF01E1 Relevance: 3.8, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HQ, xrefs: 04DF023B
P, xrefs: 04DF0216
XR, xrefs: 04DF0260

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: HQ$XR$P
API String ID: 0-2787943518
Opcode ID: d41185a7c8508f8786d4801583a8a30b673326cb00988cd322d1b76189835428
Instruction ID: 41c8a8ccda88364057082b2e09a785e980baecd01b5143840120ffe24db1e48d
Opcode Fuzzy Hash: d41185a7c8508f8786d4801583a8a30b673326cb00988cd322d1b76189835428
Instruction Fuzzy Hash: 6C016170206246DFC710EB78D649A6D77E1EFC4309B149828B2458B69ADF3598488F62

Function 00DFAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DFAB25

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eef44470d296ffcabe4c9707be357d0d18fdd751761e99bd3613c1ac6d6de12d
Instruction ID: f64c9230bf2d00e7f057509084eee076a47dfd8055c95dad2326a6590e4017bb
Opcode Fuzzy Hash: eef44470d296ffcabe4c9707be357d0d18fdd751761e99bd3613c1ac6d6de12d
Instruction Fuzzy Hash: 2E318271509344AFE721CF25DC84F56BBF8EF05310F09849EE9498B652D365E808CB72

Function 00DFB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DFB0DD

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d7413f7a893d9f69a825b45b010315f38b2fbb97fb9a534f28a6a4d78c4ec199
Instruction ID: 60e5f31404c5c31d4b7e788801d43e136e3e8b01d6f876de4ae8e4fc32f5845e
Opcode Fuzzy Hash: d7413f7a893d9f69a825b45b010315f38b2fbb97fb9a534f28a6a4d78c4ec199
Instruction Fuzzy Hash: 8131B5715093846FE711CB25DC45BA6BFF8EF06310F08849AE944CB292D365E908C772

Function 00DFA6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00DFA77E

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: fda4e287d4472bb02eb83aea7c9b628d20d27cab0b8b1dff0cce102d69163129
Instruction ID: 7821a58ff421738ba8eaeef5b9af8fb2879a2865711989d29c8425502184899a
Opcode Fuzzy Hash: fda4e287d4472bb02eb83aea7c9b628d20d27cab0b8b1dff0cce102d69163129
Instruction Fuzzy Hash: 1331717504D3C06FD3138B259C61B62BFB4EF47610F0A40CBD884CB6A3D2256919D772

Function 00DFAE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,5E180306,00000000,00000000,00000000,00000000), ref: 00DFAF0D

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4f019636a76362db816d734704dc6f73f0ff76549e7790d7107516dd1bba46cb
Instruction ID: d2ba6ade0961b1e6b05572449c530d565fb8d1d9f11d86f37af69d5502a205f6
Opcode Fuzzy Hash: 4f019636a76362db816d734704dc6f73f0ff76549e7790d7107516dd1bba46cb
Instruction Fuzzy Hash: 2321E7B1509384AFD722CF11DC44F96BFB8EF16314F09849AE9488F152D335A509CB71

Function 00DFAAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DFAB25

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: df703b92f0437689f5b0b1237b81102a4ef3b3f0f51f7adfcc369c00cff8b24c
Instruction ID: fb7e5ab20cab15cff7173bf1a04a68819c2a304f6779439148df077930eade9c
Opcode Fuzzy Hash: df703b92f0437689f5b0b1237b81102a4ef3b3f0f51f7adfcc369c00cff8b24c
Instruction Fuzzy Hash: 7F21A1B1604204AFE720CF29DC84B66FBE8EF18710F088469EA498B751D375E808CB72

Function 00DFA9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00DFAA44

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5b446a79e038771954b2024f21ba902e3a068db3c43af1c02eb30c5be52872f1
Instruction ID: caae9a6d3a5c5faec9954bf71d0502b13bd0cee58a26d58174d9306397da628c
Opcode Fuzzy Hash: 5b446a79e038771954b2024f21ba902e3a068db3c43af1c02eb30c5be52872f1
Instruction Fuzzy Hash: 0A21396540E3C49FD7138B258C64651BFB4EF53624B0E80DBD9848F6A3C2685809CB72

Function 00DFAC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,5E180306,00000000,00000000,00000000,00000000), ref: 00DFACBD

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 55f4355a8f3eeea4f04b2c9641863c53fb6d5fe59f83c9ce149fd4b64bd12aa4
Instruction ID: 8af2585665619608c17e596a7818b721ecebae2bb6a49561f82045986f763498
Opcode Fuzzy Hash: 55f4355a8f3eeea4f04b2c9641863c53fb6d5fe59f83c9ce149fd4b64bd12aa4
Instruction Fuzzy Hash: 4021E7B55093846FE7128B11DC80BE2BFB8EF57714F0980DBE9848B293D364A909D772

Function 00DFB06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DFB0DD

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a0f1b67cd7a965dee559b028e2e22ceff9c241f6e8910ebd36febb471adf4d89
Instruction ID: c5407b56924d3b9cabd768e53a046d3258b35baa8abde65a7d4fde76c6fdbf53
Opcode Fuzzy Hash: a0f1b67cd7a965dee559b028e2e22ceff9c241f6e8910ebd36febb471adf4d89
Instruction Fuzzy Hash: 9D21B371600204AFE720DF25DD85BA6FBE8EF15324F08C46AEE498B741D775E808CA72

Function 00DFA61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 00DFA690

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 89bac4cbed5c3a3979d11a67f3266d1b4c0ddf0ad38a38bd0ca4102a1aa87530
Instruction ID: 9aeb74f3209d7c09117c78ed643402db59f1e5a61db1f7d8d3a16d44cc1c4b01
Opcode Fuzzy Hash: 89bac4cbed5c3a3979d11a67f3266d1b4c0ddf0ad38a38bd0ca4102a1aa87530
Instruction Fuzzy Hash: DE21497150E3C45FDB128B259C94652BFB4DF07220F0E84DBD9858F2A3D2699908CB72

Function 00DFA573 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFA5DE

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a1543660b3f53939f5b65ff6131ccf3754ece846ca084d3cece14f729843363d
Instruction ID: f167a10a704a517c959deae183ed5b311a560c79ad1325968430fa58fafb3afc
Opcode Fuzzy Hash: a1543660b3f53939f5b65ff6131ccf3754ece846ca084d3cece14f729843363d
Instruction Fuzzy Hash: 7511A571409780AFDB228F54DC44A62FFF4EF46710F08889AED858B162C235A818DB62

Function 00DFAEAE Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,5E180306,00000000,00000000,00000000,00000000), ref: 00DFAF0D

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 32b7e747cd8ec2ded8a9115f1ef6f478138b1009968244f12dcb29ea84e0cc9d
Instruction ID: b75d196b06bed79ad44a2d46999387cd59f07d5abd26b6cef26fa8820eea9b54
Opcode Fuzzy Hash: 32b7e747cd8ec2ded8a9115f1ef6f478138b1009968244f12dcb29ea84e0cc9d
Instruction Fuzzy Hash: 3311B2B1504204AFEB21CF55DC84BA6FBE8EF14714F08C46AEE498B651C375E5088BB2

Function 00DFB424 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00DFB480

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 36bb1e723edda8cca413365fe1fd5576b6e4b3cee0a2cd5865901d7bb1d6a503
Instruction ID: bdf89fa93e72cc9a9cffd2bbd816529722acd88644862e4b266ddc865e9c4d75
Opcode Fuzzy Hash: 36bb1e723edda8cca413365fe1fd5576b6e4b3cee0a2cd5865901d7bb1d6a503
Instruction Fuzzy Hash: 281160715093849FD712CF25DD94B56BFB8DF06224F0984EBED49CB253D264E908CB62

Function 00DFAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,5E180306,00000000,00000000,00000000,00000000), ref: 00DFACBD

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a2cb505ceb0886ef43f66fe822fddac6e551cf7e5b8a0d0b7268058748e3d45a
Instruction ID: 319be3206357c3d8d67c9904eed5bda6b2c864b29a3a3281a42bde458146c54c
Opcode Fuzzy Hash: a2cb505ceb0886ef43f66fe822fddac6e551cf7e5b8a0d0b7268058748e3d45a
Instruction Fuzzy Hash: 790122B5600204AFE720CF09CC84BB6F7A8DF14724F08C0A6EE088B741C374E9488AB2

Function 00DFB446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00DFB480

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: fe8c7596369cdb61b323818d9d0ae1d81496d60f0958247e73dad00dac6bff17
Instruction ID: 82961354d7006c6dc856d51fd3f63317788efe78f24bd2e8e2413a67064a91af
Opcode Fuzzy Hash: fe8c7596369cdb61b323818d9d0ae1d81496d60f0958247e73dad00dac6bff17
Instruction Fuzzy Hash: 63016D716042088FDB10CF29DA84766BBE4EF04724F08C4ABDE49CB652D374E804CA62

Function 00DFA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFA5DE

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9a310187991d7945ab2d20d9c85efbc86f4421b20ed1781cc0616ee482b8fee3
Instruction ID: a3797a67219ab6307ddda53cacf1614d728aae49c4b73515c0c597f133f6f424
Opcode Fuzzy Hash: 9a310187991d7945ab2d20d9c85efbc86f4421b20ed1781cc0616ee482b8fee3
Instruction Fuzzy Hash: 2D0161715046449FDB21CF59D944B62FFE0EF08710F08C8AADE494A651C376E414DF62

Function 00DFA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00DFA77E

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c3054728ec84b2c652fd672826ace5049183af8ef70a0f22665ff8781cfa62a7
Instruction ID: d0a8a6c9965fa82018eb4b57110fa1fab3965efa888efe1af37cf0f255e3d05e
Opcode Fuzzy Hash: c3054728ec84b2c652fd672826ace5049183af8ef70a0f22665ff8781cfa62a7
Instruction Fuzzy Hash: 32016D71A00600ABD310DF16DC86B66FBE8FB88A20F14815AED089BB41D775F955CBE6

Function 00DFA65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00DFA690

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 648c757afc9ff56e1e2ca71019eb982578e6eca7fef53d918143afba3c855cd3
Instruction ID: cd8d718efc3b2f22cb13ede106664e4a1c1a1662fb25182d40512eac51fafac1
Opcode Fuzzy Hash: 648c757afc9ff56e1e2ca71019eb982578e6eca7fef53d918143afba3c855cd3
Instruction Fuzzy Hash: 76018FB19056449FDB20CF19D984766FBA4EF04720F0DC4AADE498F252D375E404CEA2

Function 00DFAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DFAA44

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 45bc3a35beed95626c35a98eccc424abaacdacd6e64b48db60fc0f0a42d2521e
Instruction ID: e25031aa11c8afae8501cae57b632c8262ca7d7345e7332b6e5a273af1352dee
Opcode Fuzzy Hash: 45bc3a35beed95626c35a98eccc424abaacdacd6e64b48db60fc0f0a42d2521e
Instruction Fuzzy Hash: 29F08C759046489FDB20CF19DA84762FBE0EF04724F08C0AADE494B752D279E948CEB2

Function 00DFAB7C Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00DFABF0

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 63313cb35d3ca5bc9ded066ff01cf31b4902396e081d3ee742ab541762f3ff9a
Instruction ID: 0a198b16302d52025d2ae4e483b3717dac5a5f2be0aa776183791f5007f64de5
Opcode Fuzzy Hash: 63313cb35d3ca5bc9ded066ff01cf31b4902396e081d3ee742ab541762f3ff9a
Instruction Fuzzy Hash: EB21B0B55093809FD7128F25DC95652BFB8EF07220F0984DADD858F2A3D2649909CB62

Function 00DFABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00DFABF0

Memory Dump Source

Source File: 00000000.00000002.2049651306.0000000000DFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfa000_Gv10VZCeN7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f324bd330f422dbde4dbe14ff213388f0ce09f21e230cb437f0b48663fb9c544
Instruction ID: 1c376cbdd5c9e9b23e20c1b017f8059f854f572bb494ade2c40eded59bd8df4b
Opcode Fuzzy Hash: f324bd330f422dbde4dbe14ff213388f0ce09f21e230cb437f0b48663fb9c544
Instruction Fuzzy Hash: 360184756042449FDB10CF19D985766FBE4DF05720F08C4AADE498B751D375E844CE62

Function 04DF37FA Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4826ac693cbc03c9f33b5fd01a72154da9eba727d5b8fb0a5acdd1a17d76da9
Instruction ID: a3261f1ee8609d3f99ee8d1b51110ae7cd78fd11250c166cdf9fdaf274e10c46
Opcode Fuzzy Hash: e4826ac693cbc03c9f33b5fd01a72154da9eba727d5b8fb0a5acdd1a17d76da9
Instruction Fuzzy Hash: E2324970A01218CFCB24EF74D955BADB7B2BF49308F1045A9E509AB394DB799E81CF50

Function 04DF39B7 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb08a06e4c694b901538bfb0b9cc0f318a742d73130198e2fd43d61eb6c40426
Instruction ID: 686f559b8aaf3298db2db3ef049a77064929e9a1f3e6736bf8617b455566b756
Opcode Fuzzy Hash: cb08a06e4c694b901538bfb0b9cc0f318a742d73130198e2fd43d61eb6c40426
Instruction Fuzzy Hash: 76818B30A01258CFDB24EFB4C851BADB7B2AF85308F1044AAE509AB394DB799D85CF51

Function 04DF3B10 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba0bef17214785631ffd7b2466035654cfc2bd3406b9e520ce11a02cd3ce3ea
Instruction ID: 52685b9cd1b81cdde94be72e85c43391f987c19928e7477a94a845a9d1bacfae
Opcode Fuzzy Hash: 1ba0bef17214785631ffd7b2466035654cfc2bd3406b9e520ce11a02cd3ce3ea
Instruction Fuzzy Hash: 5541A070A01218CFDB24EFB5C950BECB7B2BF45308F1140AAD445AB294DB785E85CF21

Function 04DF02C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898467ca552c8346ba2094cf6a3daf781807ac419ca8863f8c2b92fa9cb3f8dc
Instruction ID: 8e6fab8f45513c5f0280af3d79fdb9cfb5b041ca7e41460ced7ca713d9f2f68f
Opcode Fuzzy Hash: 898467ca552c8346ba2094cf6a3daf781807ac419ca8863f8c2b92fa9cb3f8dc
Instruction Fuzzy Hash: 5531C530B012119FDB24BB79D811BBE37A6EB8820CF1044399605D77A9DF39ED1A87E1

Function 04DF00B8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db9a8281c10d346d337aaa30d716ca23b4f68fc527f178b5dffba9d95423633
Instruction ID: 3ae1b7b684a6f95c8d3fe045c07e6e3e476d13f597d6c6958680c82393b5ec32
Opcode Fuzzy Hash: 4db9a8281c10d346d337aaa30d716ca23b4f68fc527f178b5dffba9d95423633
Instruction Fuzzy Hash: 3731E532B052409FD715AB79A851BAE3BA79BC2308F1485BDE005DB2D1DF7A8C458792

Function 04DF0118 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ddb2eb788a50775e30406d8f0061e7e58bd535a00c571e54b55e3e08cbf074
Instruction ID: 78755de54a966c49929d9bb88a9a21b753fed4b6429868abf6f9787c83ebde7d
Opcode Fuzzy Hash: b0ddb2eb788a50775e30406d8f0061e7e58bd535a00c571e54b55e3e08cbf074
Instruction Fuzzy Hash: A111E136B051408FC325B779B851BBA26879BC534871849BDE005DB791CFAE8C4987A2

Function 04DF0007 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff916ab0f5d7d09cfad7f6be0ac15ec3d9d5b1d8b5b1996e1bf7cd2e56af5f4b
Instruction ID: e7d63e26a4958512881056766e017dc0126dfa86e5f13d5eee19405b3cdb513e
Opcode Fuzzy Hash: ff916ab0f5d7d09cfad7f6be0ac15ec3d9d5b1d8b5b1996e1bf7cd2e56af5f4b
Instruction Fuzzy Hash: E31180A554F3C08FD30397346CA46813FB09F17209B8E45EBC484CA5A7E25D594ED762

Function 011E05E0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050269765.00000000011E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11e0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14b23d045a7b20d91ab5a90dccd865f4f0a73137c67a040f0f829ab643db07f
Instruction ID: 019d34821b3752d0c7abe6c3790ab8ca762308490f17a36392662c5d68d2f243
Opcode Fuzzy Hash: c14b23d045a7b20d91ab5a90dccd865f4f0a73137c67a040f0f829ab643db07f
Instruction Fuzzy Hash: C3016DB65097846FD711CF06ED41862FBA8EE86630709C4ABEC498B652D225B909CB72

Function 04DF00A8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2de6b1ea13b33f3396dbc9d67c210740d24ba2b5855aefa9c4bcc680ba000e
Instruction ID: 84337179b96ea73ea5c7fb67d172c4a2041b28745dc1dc4d629fbfc9fda0f86d
Opcode Fuzzy Hash: af2de6b1ea13b33f3396dbc9d67c210740d24ba2b5855aefa9c4bcc680ba000e
Instruction Fuzzy Hash: ACF02B76A00304AFDB14DF709C52BAE7FB2DF81714F1486AEE141EB1C2DA325841C740

Function 011E0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050269765.00000000011E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11e0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016b40381926af580f641c9e1946a99462a9cdbe2e60c3e5de7343c061ea99b0
Instruction ID: c9e660f2cbc50e356ddff825576172637ddce1d2046e658c0e39476a4b9f73c7
Opcode Fuzzy Hash: 016b40381926af580f641c9e1946a99462a9cdbe2e60c3e5de7343c061ea99b0
Instruction Fuzzy Hash: 8EE092B6A046044B9650CF0AED41452F7D8EB84630708C47FDC0D8B711D235B508CEA5

Function 04DF3010 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d514357398d670afa304ff9b82ef5f3c1140393b90fc20de0d3e6c39e98ada
Instruction ID: dd0b4137c9987b0983676e1a4c35957578d09fbecc3422b07b6eb0e5d65e509d
Opcode Fuzzy Hash: c2d514357398d670afa304ff9b82ef5f3c1140393b90fc20de0d3e6c39e98ada
Instruction Fuzzy Hash: 45E0123024E3809FC71A573464289983F715F4611A71804FEC54ACB6A6DA7B8446CF50

Function 00DF23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049631025.0000000000DF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df2000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17b89cbb2fc2b627918424e84ae64f7490f630e29fd20dc2a392723803ce43a
Instruction ID: c7f783edd6dc88b318a4d21092ec85c5c98cfc6e53851f2364aa7b07c4d94b18
Opcode Fuzzy Hash: b17b89cbb2fc2b627918424e84ae64f7490f630e29fd20dc2a392723803ce43a
Instruction Fuzzy Hash: BFD02E792006C44FD3238A0CC2A5BA537D4AB60704F0B84FAA800CB763C7A8D881C220

Function 00DF23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049631025.0000000000DF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df2000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61235713ead99133596e2eb2f371bfb4c5bda17fc84300e6cc723773843ecddb
Instruction ID: b29072057913288850d6b955b7220d10c2dab94e0b8ecc6bb24446ce49e60ed7
Opcode Fuzzy Hash: 61235713ead99133596e2eb2f371bfb4c5bda17fc84300e6cc723773843ecddb
Instruction Fuzzy Hash: B8D05E742006854FC725DB0CC2D4F6937D4AB40714F1A84ECAC108B762C7A9D8C5DA10

Non-executed Functions

Function 04DF44E9 Relevance: 4.1, Strings: 2, Instructions: 1624COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 931875aa1f1d27d95c914de2f54cf0c4d1334e030a7831f962c5b59d81d72446
Instruction ID: f8b3c0d6f0297ac176118f588a6a22b2c9a85e1fbc6f0955baa5b0c023a8e2f8
Opcode Fuzzy Hash: 931875aa1f1d27d95c914de2f54cf0c4d1334e030a7831f962c5b59d81d72446
Instruction Fuzzy Hash: 9A032B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF453C Relevance: 4.1, Strings: 2, Instructions: 1618COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 06cc121a655f5ac068cc82253e0521ca704c87f8aac13ff68e519b3aa670f805
Instruction ID: 27b397f4cdeae8ff887b9ec7eafa2bb77ebb95517affecf5e56c5ce35c9ed780
Opcode Fuzzy Hash: 06cc121a655f5ac068cc82253e0521ca704c87f8aac13ff68e519b3aa670f805
Instruction Fuzzy Hash: 11032B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF4628 Relevance: 4.1, Strings: 2, Instructions: 1579COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: ba2767411f97cd956db22a9951bb27e9bdfb2803af6ab03eb005268a172667cf
Instruction ID: 6bf5721db3965e6840aa3392b36abe36596a4f9960181a921c3297c935c1d300
Opcode Fuzzy Hash: ba2767411f97cd956db22a9951bb27e9bdfb2803af6ab03eb005268a172667cf
Instruction Fuzzy Hash: 90032B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041E9E909A73A5DB359E95CF40

Function 04DF4707 Relevance: 4.0, Strings: 2, Instructions: 1544COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 82afb7a215eb3ccdc65d0b63a628dd0505128019529c1d9c481f82038fad5245
Instruction ID: 7d9500aac58d77f06f569502d0a7c4b193aa1113a4f5e86718827c39f1cd62ae
Opcode Fuzzy Hash: 82afb7a215eb3ccdc65d0b63a628dd0505128019529c1d9c481f82038fad5245
Instruction Fuzzy Hash: E2F22B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF47CC Relevance: 4.0, Strings: 2, Instructions: 1513COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 6bfe550d11c0a37f175079111b853f483499f5325826726d02e1ef2c1074b051
Instruction ID: 1011c0e1e66babad799ff7d675455cd7402c6a30ede8f4e700771ab663dbfbfd
Opcode Fuzzy Hash: 6bfe550d11c0a37f175079111b853f483499f5325826726d02e1ef2c1074b051
Instruction Fuzzy Hash: A9F22B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF492E Relevance: 4.0, Strings: 2, Instructions: 1456COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 891a44d0cb15a208e6d90528d81e1452394f430ae59cb26f279f0565bfdeb325
Instruction ID: 830e0c7ed67fbb45f871a5cca4c156f2886512b9eaf5474471c29ee14eb042f8
Opcode Fuzzy Hash: 891a44d0cb15a208e6d90528d81e1452394f430ae59cb26f279f0565bfdeb325
Instruction Fuzzy Hash: F6F23B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF4995 Relevance: 3.9, Strings: 2, Instructions: 1447COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 99c254fd39fa243dcf04425e020788e97290e6af50ed9d3bcfc551437a3b2113
Instruction ID: f93f4438170133b69183d2b1c1143748e1462d49c98e2fd3945f0feba867fbcf
Opcode Fuzzy Hash: 99c254fd39fa243dcf04425e020788e97290e6af50ed9d3bcfc551437a3b2113
Instruction Fuzzy Hash: E8F23B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF49F1 Relevance: 3.9, Strings: 2, Instructions: 1440COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: db152a83997c36e9c3fa6ab064e049f997dddbe76f646c4234115b9ee9b6ae96
Instruction ID: 10741c42eeeb912e07f032ccd36260057fdce70ce174118445c416a8776a5153
Opcode Fuzzy Hash: db152a83997c36e9c3fa6ab064e049f997dddbe76f646c4234115b9ee9b6ae96
Instruction Fuzzy Hash: 9EF23B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF4B53 Relevance: 3.9, Strings: 2, Instructions: 1383COMMON

Download Yara Rule

Strings

, xrefs: 04DF4BBC
|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 7bdcc77f558f99368c2ab964913ba94d71dc45db41180da3db49d125f6b96065
Instruction ID: 447f7158b85fe6ccfd358e9c7809eae75030a05b225e10ab6562ce90cb4d2f43
Opcode Fuzzy Hash: 7bdcc77f558f99368c2ab964913ba94d71dc45db41180da3db49d125f6b96065
Instruction Fuzzy Hash: DCE24B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF4C87 Relevance: 2.6, Strings: 1, Instructions: 1362COMMON

Download Yara Rule

Strings

|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: deea6961ab9ef03780b666263825e65b7cf46b85be8e1b77845552205cfe89ed
Instruction ID: 009efa39993c2eddd65670c0f914a463a57396f5ca7ef6066beadd5320ea2fcc
Opcode Fuzzy Hash: deea6961ab9ef03780b666263825e65b7cf46b85be8e1b77845552205cfe89ed
Instruction Fuzzy Hash: 77E23B74A02128CFDB64EB34DD54BA9B7B2FB48304F1041EAE909A73A5DB359E95CF40

Function 04DF4F27 Relevance: 2.5, Strings: 1, Instructions: 1245COMMON

Download Yara Rule

Strings

|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 83070e973502d1ba36b2317dfcccdde20818fdb73fc6fdc9a634fd4421a30fcb
Instruction ID: 2e452d4bed2e8fb80b76856686cc23f0f70fff7f9b2acfc93844554d0ec3cc23
Opcode Fuzzy Hash: 83070e973502d1ba36b2317dfcccdde20818fdb73fc6fdc9a634fd4421a30fcb
Instruction Fuzzy Hash: 6BD23C74A02228CFDB65EF34DD54BA9B7B2BB48304F1041E9E909A73A5DB359E85CF40

Function 04DF4F95 Relevance: 2.5, Strings: 1, Instructions: 1236COMMON

Download Yara Rule

Strings

|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 6079d5e026b2525412d818ef3dc96768018c208a58b6d97a3f57fea736b97a99
Instruction ID: be473c8152d9565738bcff32ef7507b793cc976068dc025a1ca11b824fab6501
Opcode Fuzzy Hash: 6079d5e026b2525412d818ef3dc96768018c208a58b6d97a3f57fea736b97a99
Instruction Fuzzy Hash: 1FD23B74A02228CFDB65EF34DD54BA9B7B2BB48304F1041E9E909A73A5DB359E85CF40

Function 04DF4FF8 Relevance: 2.5, Strings: 1, Instructions: 1230COMMON

Download Yara Rule

Strings

|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: a8f0005b2449b0a491c60e3947416008f20d2bb73912f1d2948309b47d7eb379
Instruction ID: 645033311892292979da3fdb7539f1352deb23c6d1d92850f9e1c8d4264f5506
Opcode Fuzzy Hash: a8f0005b2449b0a491c60e3947416008f20d2bb73912f1d2948309b47d7eb379
Instruction Fuzzy Hash: 17D23B74A02228CFDB65EF34DD54BA9B7B2BB48304F1041E9E909A73A5DB359E85CF40

Function 04DF5055 Relevance: 2.5, Strings: 1, Instructions: 1225COMMON

Download Yara Rule

Strings

|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 622712384021d6212330ec06ae6469f60dacad2bb53fac11f3cc399a80750881
Instruction ID: 7d87732fc281618c599dedd9805b6085404719924c7a2b603c4941fa3dd43155
Opcode Fuzzy Hash: 622712384021d6212330ec06ae6469f60dacad2bb53fac11f3cc399a80750881
Instruction Fuzzy Hash: E6D23B74A02228CFDB65EB34DD54BA9B7B2BB48304F1041E9E909A73A5DB359E85CF40

Function 04DF50DB Relevance: 2.5, Strings: 1, Instructions: 1210COMMON

Download Yara Rule

Strings

|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 9b0f338e40f13e745acb048aa45f76584085e84d79589a81e4b8a46b252f048f
Instruction ID: 40d6d4aeb6f0075c1f4c8c7b8a3d4567bb6168b52a48ff98c83477a705fa8970
Opcode Fuzzy Hash: 9b0f338e40f13e745acb048aa45f76584085e84d79589a81e4b8a46b252f048f
Instruction Fuzzy Hash: 18D23B74A02228CFDB65EB34DD54BA9B7B2BB48304F1041E9E909A73A5DB359E85CF40

Function 04DF5367 Relevance: 2.3, Strings: 1, Instructions: 1071COMMON

Download Yara Rule

Strings

|t, xrefs: 04DF53C6

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 38f804b3e7abcb0e8ddb76035b9c4ebb3878924fe0d372d5b0e5f78385f67b10
Instruction ID: 06c34eda087a1eedbda63a989ca8019bfaaec11b301cff63de6396505d29ce98
Opcode Fuzzy Hash: 38f804b3e7abcb0e8ddb76035b9c4ebb3878924fe0d372d5b0e5f78385f67b10
Instruction Fuzzy Hash: 7EC21D74A02228CFDB65EF24DD54BA9B7B2FB48304F1041E9E909AB395DB359E91CF40

Function 04DF3058 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

N, xrefs: 04DF30E8
N, xrefs: 04DF3122
N, xrefs: 04DF3081
N, xrefs: 04DF30C5

Memory Dump Source

Source File: 00000000.00000002.2050531484.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_Gv10VZCeN7.jbxd

Similarity

API ID:
String ID: N$N$N$N
API String ID: 0-91100018
Opcode ID: 50f324b3af9f0ff77a927eee23093d30fe982718ece2c936735fa549d8ef84b2
Instruction ID: a622743aa5f5c4099278136d8e1cfcc1749cff732d7b9c96d0b0a903aec2f85b
Opcode Fuzzy Hash: 50f324b3af9f0ff77a927eee23093d30fe982718ece2c936735fa549d8ef84b2
Instruction Fuzzy Hash: 96214B747006599FEB20DF69C841BAA73E9FF89304F154469EA06EB794EB70FC058B90

Analysis Process: server.exePID: 5252, Parent PID: 4208COMMON

Execution Graph

Execution Coverage:	39.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.9%
Total number of Nodes:	112
Total number of Limit Nodes:	7

Executed Functions

Function 04EC4298 Relevance: 3.2, Strings: 1, Instructions: 1950COMMON

Download Yara Rule

Strings

@, xrefs: 04EC4C24

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 03dacfbb7847cf851fe0d9355633a917a97c5443fd7bb257317b1df7bfaf44d3
Instruction ID: fc015ea566db6df488d25ad49c89fd6f27f53fb81503eb4c4c2b0645777f693f
Opcode Fuzzy Hash: 03dacfbb7847cf851fe0d9355633a917a97c5443fd7bb257317b1df7bfaf44d3
Instruction Fuzzy Hash: 87235C75A012688FDB24EF34C954BADB7B2FB58308F1081E9D909673A5DB35AE81CF50

Function 04EC4269 Relevance: 3.0, Strings: 1, Instructions: 1762COMMON

Download Yara Rule

Strings

, xrefs: 04EC4BC4

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7df670d5219d32e1235048357c6d3a3219a0c4735a629db08c0904b035aa5cb9
Instruction ID: d355f81776ba8c07fcc7ee8acd3ae4a2b1067db24dc913e6e3149c18a12d8a08
Opcode Fuzzy Hash: 7df670d5219d32e1235048357c6d3a3219a0c4735a629db08c0904b035aa5cb9
Instruction Fuzzy Hash: 7A135B75A012688FDB24EF34C994BADB7B2FB58308F1081E9D909673A5DB356E81CF50

Function 04EC44F1 Relevance: 2.9, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

Strings

, xrefs: 04EC4BC4

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d33adc8bd55eda4312bf57c442399868c2a8367d7fab7f528e4bd101fd59ceb0
Instruction ID: 2090681c2829494c925e782b87b7542555c1a31e9bf4065653aaeb9afab66de4
Opcode Fuzzy Hash: d33adc8bd55eda4312bf57c442399868c2a8367d7fab7f528e4bd101fd59ceb0
Instruction Fuzzy Hash: 2B034A75A012688FDB24EF34D994BADB7B2FB58308F0081E9D909673A5DB356E81CF50

Function 04EC4544 Relevance: 2.9, Strings: 1, Instructions: 1618COMMON

Download Yara Rule

Strings

, xrefs: 04EC4BC4

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e6739d9db2d7094d7cc5c45d41d8e95fc69eba3799caa5d74eaf2b9314de2662
Instruction ID: cf7aca184df033c26af00f052fa4369634a9991a4edf6797d53f17c654b825cc
Opcode Fuzzy Hash: e6739d9db2d7094d7cc5c45d41d8e95fc69eba3799caa5d74eaf2b9314de2662
Instruction Fuzzy Hash: 1F034A75A012688FDB24EF34D994BADB7B2FB58308F0081E9D909673A5DB356E81CF50

Function 04EC47D4 Relevance: 2.8, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

Strings

, xrefs: 04EC4BC4

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 39568ea8bc53013a47c8b382cdfcf71817f98a9654c0fcaed63392851fac0c04
Instruction ID: 4c4e59401872e554e088929b235e140984c026cec3c8458b91efe54a6ed32b07
Opcode Fuzzy Hash: 39568ea8bc53013a47c8b382cdfcf71817f98a9654c0fcaed63392851fac0c04
Instruction Fuzzy Hash: 2BF25A75A012688FDB25EF34C994BADB7B2FB58308F0081E9D909673A5DB356E81CF50

Function 04EC499D Relevance: 2.7, Strings: 1, Instructions: 1447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04EC4BC4

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3e24155bc54255bbc5a4c48f4f9fb1a836bbe7017b79efc245a342ae64c12bed
Instruction ID: 3e6248cb97eb77995905434314a431089517d39a3645e21cce68a4c14e38bda0
Opcode Fuzzy Hash: 3e24155bc54255bbc5a4c48f4f9fb1a836bbe7017b79efc245a342ae64c12bed
Instruction Fuzzy Hash: A4F25B75A012688FDB25EF34C994BADB7B2FB58308F0081E9D909673A5DB356E81CF50

Function 04EC49F9 Relevance: 2.7, Strings: 1, Instructions: 1440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04EC4BC4

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4e3996e7c1dab372b29e8d5491047a63f7c05b096f5ad6afa2d0a92ea4ad0f2b
Instruction ID: 454c9b5f898b9eab1d4100d64a368204e91ce3d1fffc357e8d7a8f7cc41b5e62
Opcode Fuzzy Hash: 4e3996e7c1dab372b29e8d5491047a63f7c05b096f5ad6afa2d0a92ea4ad0f2b
Instruction Fuzzy Hash: B6F25B75A012688FDB25EF34C994BADB7B2FB58308F0081E9D909673A5DB356E81CF50

Function 00CDBD6F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00CDBDEF

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 285301d85270a538d9021a38e73b526caf88035e0fe18644b358cb1a8bd92821
Instruction ID: 1cc213ce383b4782b5c47c189d7cb5f9c84c8e9aa2593e500f1492f787f8c652
Opcode Fuzzy Hash: 285301d85270a538d9021a38e73b526caf88035e0fe18644b358cb1a8bd92821
Instruction Fuzzy Hash: B421B1755097809FDB128F25DC44B92BFB4EF06310F09849AEA858B663D371D908DB62

Function 00CDBEF1 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00CDBF5D

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 369e89f7b74efcb6eeb7924415cc5656688d43e25facd90b766180eca98fb90a
Instruction ID: 5b504e0d990148938cdd6a392828c514fe8d1529d6f889f646269e3e2b6820ba
Opcode Fuzzy Hash: 369e89f7b74efcb6eeb7924415cc5656688d43e25facd90b766180eca98fb90a
Instruction Fuzzy Hash: 9B1190754097C09FDB228F14DC45A92FFB4EF16314F0984DBEA848B263D275A918DB62

Function 00CDBDA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00CDBDEF

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4a2891f26e123c8248371bb68af288ec4fc61a747891cee086c3599fcb5a4cb2
Instruction ID: e3b5afd938d93ddf4b6631e535be7b46a4eda5ce2fab12c203cf466494ae1e6a
Opcode Fuzzy Hash: 4a2891f26e123c8248371bb68af288ec4fc61a747891cee086c3599fcb5a4cb2
Instruction Fuzzy Hash: 73114C75600604DFDB20CF66D984BA6BBE4EF04320F08886AEE458BB51D375E918DB62

Function 00CDA5EE Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E24,?,?), ref: 00CDA63E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5b8f04660b9f2d6e85e7a7461678b7fb68ee4db72d7534cd1130ce7cf5885b39
Instruction ID: a08d040790221c10a6b1a8b5ee90386cf4e9d88658668ac53167b3bfc123ef49
Opcode Fuzzy Hash: 5b8f04660b9f2d6e85e7a7461678b7fb68ee4db72d7534cd1130ce7cf5885b39
Instruction Fuzzy Hash: 8401D171600200ABD310DF16CC86B76FBE8FB88A20F14815AED089BB41E771F915CBE6

Function 00CDBF22 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00CDBF5D

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 26554ef4172f504c60ff77cc7783893aa518f27f70761b5eb7f82cb4f118ad43
Instruction ID: e76c8c985a9c5911c03f7a56a09dfd2d901fe3adab8f23600fd13184f0d6b922
Opcode Fuzzy Hash: 26554ef4172f504c60ff77cc7783893aa518f27f70761b5eb7f82cb4f118ad43
Instruction Fuzzy Hash: 92014B79504640DFDB208F55DD84B61FBE0EF08724F08C4AADE894A762D375E918DFA2

Function 04EC4C8F Relevance: 1.4, Instructions: 1362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cb298e6e5ef7a77a832e818e050a760610cf5ad9a63ef3d85497f7173aa510
Instruction ID: 8f346a4488d305226daa56bd3778837d53a823f2b7f3fc4f39617573d2f32980
Opcode Fuzzy Hash: 75cb298e6e5ef7a77a832e818e050a760610cf5ad9a63ef3d85497f7173aa510
Instruction Fuzzy Hash: 9DE25B75A012688FDB25EF34C994BADB7B2FB58304F0081E9D909673A5DB356E81CF50

Function 04EC4F9D Relevance: 1.2, Instructions: 1236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178991d4f657a90c17e207a4093b1eef0ceba62cf18c3da80be34a6e0f29fecb
Instruction ID: 6d8ad114cb90a7f295b3f3f06a01fcf46266f248bd52ad13bb2d3d94da700e2d
Opcode Fuzzy Hash: 178991d4f657a90c17e207a4093b1eef0ceba62cf18c3da80be34a6e0f29fecb
Instruction Fuzzy Hash: 95D26B75A012688FDB25EF34D994BADBBB2FB58304F0081E9D809673A5DB356E81CF50

Function 04EC50E3 Relevance: 1.2, Instructions: 1210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d4f365e154f1b3588ace6b0bda46c1be349ebc63044cf7e400071a1931490a
Instruction ID: 79f794cec3ddd48f24612d8028413ce48e0925d34b474c8916ceaa2d7cb09628
Opcode Fuzzy Hash: 03d4f365e154f1b3588ace6b0bda46c1be349ebc63044cf7e400071a1931490a
Instruction Fuzzy Hash: 0CD26B75A012688FDB65EF34C994BADB7B2FB68304F0081E9D809673A5DB356E81CF50

Function 04EC536F Relevance: 1.1, Instructions: 1071COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418b5f06a839261b485e370e1a95708f49553978d09586cc86ac0ac4d8ca2e99
Instruction ID: 7c030d59159203333cea6c4da7936784186f9f9c136b2da964f5d7ddc5cf6060
Opcode Fuzzy Hash: 418b5f06a839261b485e370e1a95708f49553978d09586cc86ac0ac4d8ca2e99
Instruction Fuzzy Hash: 6BC24875A01228CFDB25EF34C954BA9B7B2FB58304F1081E9D9096B3A5DB35AE81CF50

Function 04EC7667 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae259bab7ebf322ffd1633ba65e89ab61a4d55a5cd0b7df5ecb6ba912570407a
Instruction ID: 6d0d5c4590f1c79a091e6343e2656e692a442d623c1adafc32106317bd57a9fe
Opcode Fuzzy Hash: ae259bab7ebf322ffd1633ba65e89ab61a4d55a5cd0b7df5ecb6ba912570407a
Instruction Fuzzy Hash: 0532C0326012528BDB35AB31DA8077E77E2BF54259B04807EE491DB3D5EF38E942DB90

Function 04EC7AA0 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa91c75b0d1f4522395a2c715472bd994276a0295145676a9b20aac92eba94ad
Instruction ID: 0949bb864e1c2f520828fa095be1b101c00dd64d47a10ddb2225d40e33c95793
Opcode Fuzzy Hash: aa91c75b0d1f4522395a2c715472bd994276a0295145676a9b20aac92eba94ad
Instruction Fuzzy Hash: D00217729002629BD739AF30868157DB3637F50356715813EE8A59B2D0EF2AFC52CF90

Function 00CDB126 Relevance: 1.6, APIs: 1, Instructions: 108
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CDB1F5

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 63ce72958197a070eb326cdecf6a35e5d3d7ec0ae3efa4b4f3b247eba10aaafd
Instruction ID: 57b0a036a2079aacd70279f54e4f6a3e99ace1d85648a43f5cbb112f9adc80ae
Opcode Fuzzy Hash: 63ce72958197a070eb326cdecf6a35e5d3d7ec0ae3efa4b4f3b247eba10aaafd
Instruction Fuzzy Hash: 67319372509380AFE7238B608C54BA6BFB8EF17314F0944DBE984CB663D224E909C771

Function 04D20BB4 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04D20C6D

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4a9cf9a409e4df94e2de3272ce04cc106ce9975aa41d9a404e405469aab04e45
Instruction ID: 92cddda295fb38f49879ae98af18449940ca13ef929e6339fd5c727ddbe3fc4e
Opcode Fuzzy Hash: 4a9cf9a409e4df94e2de3272ce04cc106ce9975aa41d9a404e405469aab04e45
Instruction Fuzzy Hash: 403190B2500344AFE7228F25CD44FA7BBECEF19614F04445AF985C7652D320E509DB71

Function 04D21613 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04D216DA

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 33521b7062c7410a8d7bb2d2bfab673a82afc81ef38f6bd59cb1465b67a4e4d0
Instruction ID: 20daba4517df9b1d734038356446717d7e0b686cc6b05a320d9575e3400d0a10
Opcode Fuzzy Hash: 33521b7062c7410a8d7bb2d2bfab673a82afc81ef38f6bd59cb1465b67a4e4d0
Instruction Fuzzy Hash: 98316D6510E3C06FD3138B258C65A61BFB4EF47614B0E85CBE8848B6A3D219A919D7B2

Function 00CDAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CDAB25

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7d97e5529573b18c790f55cfd231ca1455697876cea56c76be7a2478a5ea7b60
Instruction ID: 33cbddc741bd1255e66304ef8af2abd0368ae1417e7927e05254014cbb953167
Opcode Fuzzy Hash: 7d97e5529573b18c790f55cfd231ca1455697876cea56c76be7a2478a5ea7b60
Instruction Fuzzy Hash: FE318071505340AFE721CF25CC84F96BBF8EF06314F08849EE9858B252D365E909CB72

Function 04D21184 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D21218

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: a499351fe9891ab791a1844208a78d646c0961bcd087685510a5544f26e155af
Instruction ID: f0d7c6986be727c2a3721a42db596c8a7aadd05e832f78ebc896e57830aacc4c
Opcode Fuzzy Hash: a499351fe9891ab791a1844208a78d646c0961bcd087685510a5544f26e155af
Instruction Fuzzy Hash: 5021E6755097805FD7128F20DC45B96BFB8EF57324F0884DAE984CF193D364A909C761

Function 04D21B2C Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04D21BC3

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: c7a0bad8407c911713788d4b5798678d78d12307707026b4e3037869885169b2
Instruction ID: 3d4ea3e275ceb1d5318f13f0a7b6aa89e8d56aa5cade6e70f90f1aef26ff0e74
Opcode Fuzzy Hash: c7a0bad8407c911713788d4b5798678d78d12307707026b4e3037869885169b2
Instruction Fuzzy Hash: B731BF71504384AFE721CF64DC44FABBBB8EF16214F08849AE944CB652D364E908CB71

Function 00CDAF76 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CDB01D

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 625169ef50e7ac3e803553e43942c37e52abfd8eff3601125dd43709a8290a4e
Instruction ID: 0e846661ee0fe386407c2d4369eab6e48f480bba0659126629e0384c77eafe41
Opcode Fuzzy Hash: 625169ef50e7ac3e803553e43942c37e52abfd8eff3601125dd43709a8290a4e
Instruction Fuzzy Hash: 203195B15093805FE721CB25DC45F96BFF8EF16314F08849AE944CB292D365E909C772

Function 00CDB23D Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDB2F8

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5b41b1a1d091a2dd7c8ab0f0971ff6806cb0c07847646e13c005525a5d4de75b
Instruction ID: 615fe75d4c212d636358a824490509be4917c454611faa3dc77befb841e00a12
Opcode Fuzzy Hash: 5b41b1a1d091a2dd7c8ab0f0971ff6806cb0c07847646e13c005525a5d4de75b
Instruction Fuzzy Hash: 543181751057849FD722CB21CC45FA6BFB8EF06314F09849AE945CB652D364E948CB71

Function 04D20BD2 Relevance: 1.6, APIs: 1, Instructions: 86
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04D20C6D

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 62272e5bbfc06dbe652e6d2272af63fb269452afe1e260c8760ae99306be7552
Instruction ID: 103efab7a4a06cd3c21bca3c69f384d6fb785436b6ed08c1cd40db688e1e1c24
Opcode Fuzzy Hash: 62272e5bbfc06dbe652e6d2272af63fb269452afe1e260c8760ae99306be7552
Instruction Fuzzy Hash: 2D21A2B2600204AFE7319F15CD84FA7B7ECFF18618F04856AEA45C6651E720F5089B71

Function 04D20CB5 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D20D64

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 51b4f6219a63a6a5bdb7638f308b07edd52b00bfbce40d51b070868de210414b
Instruction ID: 9331670d814afbd56d4db5711e7b464da917eac5111b6e5fd2f62c12242fe00f
Opcode Fuzzy Hash: 51b4f6219a63a6a5bdb7638f308b07edd52b00bfbce40d51b070868de210414b
Instruction Fuzzy Hash: 5031B476509780AFD7228F11CD45B96BFB8EF16314F0844CBE9858F5A2D365A409CBA1

Function 04D23130 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D231C7

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: ebf84aaab208575e14131d7420f072e30a29f0dc7415ac4e88f9f3b9580c60d8
Instruction ID: 7852045a72bab45a5998b9de8d8ec29dc628025e0d288bbd1a2f8c28c26ed5b4
Opcode Fuzzy Hash: ebf84aaab208575e14131d7420f072e30a29f0dc7415ac4e88f9f3b9580c60d8
Instruction Fuzzy Hash: F221A5715093845FD713CB20DC55B96BFB8AF56214F0884DBE9888F193D365E909CB72

Function 04D22138 Relevance: 1.6, APIs: 1, Instructions: 85
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D221D5

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 17a7dbb7fa10dbe6d122b1f85f6a4bcaacbb1c0a5faf985f3f9461d9fbc90b79
Instruction ID: 91d8817fe2854de211497a42a197a09e831307cd64793224383d5c82d66c3f83
Opcode Fuzzy Hash: 17a7dbb7fa10dbe6d122b1f85f6a4bcaacbb1c0a5faf985f3f9461d9fbc90b79
Instruction Fuzzy Hash: 82210472504340AFD722CF50DC45FA6BFB8EF16324F08849AE9458B5A2D325E909CBB1

Function 00CDA58E Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,00000E24,?,?), ref: 00CDA63E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1fbb129908d1cfa64b646eb5ad81223dc8705d288759fdef20c432045f196396
Instruction ID: 8eb7a9170b236ecbb85b5130004f303eee96592f155889d661946e3de455cc22
Opcode Fuzzy Hash: 1fbb129908d1cfa64b646eb5ad81223dc8705d288759fdef20c432045f196396
Instruction Fuzzy Hash: B8317E7504D3C06FD3138B259C61BA1BFB4EF87614F0A40CBE884CB6A3D229A919D772

Function 00CDB42C Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00CDB4D5

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 7f1ac71850b4ad4ad9e6c57b4cfa12b0bc490fafed89ae0fbc62b7420a1ad131
Instruction ID: d6870f1d95a575642284230165096ce07181165b3e356cc274a4f069d04a26cb
Opcode Fuzzy Hash: 7f1ac71850b4ad4ad9e6c57b4cfa12b0bc490fafed89ae0fbc62b7420a1ad131
Instruction Fuzzy Hash: AC21B471104740AFE7228F61DC44FA6FFB8EF46314F08849AFA858B662D375E909CB61

Function 04D23061 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04D230F0

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 5b8008eef64779099d696322b390f07bc129f36936c414950292024c6af2d1e9
Instruction ID: 807dcbfc52d1d69f7adf58c590292f829189295ea631686460f42407b6e7b8a5
Opcode Fuzzy Hash: 5b8008eef64779099d696322b390f07bc129f36936c414950292024c6af2d1e9
Instruction Fuzzy Hash: 5E218C712083849FDB22CF24DD44B92BFF8EF06214B08849AED84CB162D265E809CB72

Function 04D21CE2 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04D21D76

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: bde50ab6b9ced5fbe67f5096895676a648e8921694e92050794da51cb55190c5
Instruction ID: 5174905a1373974063cb2a1192e5b3f3d893b30aad60c45cbe7749d088cbdb8f
Opcode Fuzzy Hash: bde50ab6b9ced5fbe67f5096895676a648e8921694e92050794da51cb55190c5
Instruction Fuzzy Hash: 9721BF71405380AFE722CF15CC44F96FBF8EF19224F08849EE9898B652D365E508CBB2

Function 04D21706 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04D21792

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: b4f5c4760f1d12db96cd2ed347d97d4f93deb0e3a4effeb7d6e15c348e9c0260
Instruction ID: d357e5816777328f27976f932965c019ffa739149aaa0631331cfc93d3a4309d
Opcode Fuzzy Hash: b4f5c4760f1d12db96cd2ed347d97d4f93deb0e3a4effeb7d6e15c348e9c0260
Instruction Fuzzy Hash: F6219E71509380AFD721CF61CD84F96FFB8EF1A214F08889EE9858B652D375E408CB62

Function 00CDB34E Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDB3E4

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e2f25dc550735ca103af89c4fc73e7c2b7029aeecdc96cd897a3b60229d1fb9c
Instruction ID: f296da21e6ac7854d0fc844a6309372e16c7ca27b0b31ccb86e04144450683fa
Opcode Fuzzy Hash: e2f25dc550735ca103af89c4fc73e7c2b7029aeecdc96cd897a3b60229d1fb9c
Instruction Fuzzy Hash: BF219076509780AFD7228B11DC44FA7BFB8EF56714F08849BE985CB252D364E908CBB1

Function 04D200B8 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,1A30CFE9,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 04D2013E

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 434cbcf806ebfb169a547b3588551b509bc845e936e66b16399f3eb874d1e99a
Instruction ID: 6976bb353a43ae7a29441e15657331e4924138e67dd3f83e9c08e87f276caacf
Opcode Fuzzy Hash: 434cbcf806ebfb169a547b3588551b509bc845e936e66b16399f3eb874d1e99a
Instruction Fuzzy Hash: A8216B715093C09FD7138B65DC55A92BFB4AF17314F0D84DBE984CB1A3D224A918CB62

Function 04D21B52 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04D21BC3

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 22dbea344d17f8b0e706ab388c98244d56a201b9a88da4b39889cd388dba8ac2
Instruction ID: c7e1151763cf270870086893e066e974225a8c68545b0ccffc0dfaff233340af
Opcode Fuzzy Hash: 22dbea344d17f8b0e706ab388c98244d56a201b9a88da4b39889cd388dba8ac2
Instruction Fuzzy Hash: 6121C271600214AFEB20DF25DD44BABFBA8EF14218F08846AED45CB641E774E5088B71

Function 04D21A3A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D21AD8

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2ac59707f8a4531f998a8eb1cb3dcb1d3b68dbe126bc7497c5922e5346b73bef
Instruction ID: a5f29370d7788035714ad2fad6a489078ba4a06548a9e690218b6f0cc6e696a7
Opcode Fuzzy Hash: 2ac59707f8a4531f998a8eb1cb3dcb1d3b68dbe126bc7497c5922e5346b73bef
Instruction Fuzzy Hash: D621A175504380AFE721CF11CD44F97BBF8EF59314F08859AE9858B692D365E908CB71

Function 00CDAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CDAB25

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 71983c56aa3f32c8bf3e7064236138dc85957d5626737567504fad344a0822dd
Instruction ID: 3370ef9ad8130b37c3c44efdf7ef20c087f18fc5fc1d69b7bf25462df5a4ebff
Opcode Fuzzy Hash: 71983c56aa3f32c8bf3e7064236138dc85957d5626737567504fad344a0822dd
Instruction Fuzzy Hash: 2F219F71600200AFE720DF25CD84BA6FBE8EF18314F04846AEA458B751D375E909CB72

Function 00CDB176 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CDB1F5

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f497f439e5d0c431f55708448f15fea3c0f2b17a53e7cab12940b8f89453310c
Instruction ID: 192cb6bc7178c927bfcf6f7c0f8025e103eaf9db684e74d6ebdb8f7d7c515561
Opcode Fuzzy Hash: f497f439e5d0c431f55708448f15fea3c0f2b17a53e7cab12940b8f89453310c
Instruction Fuzzy Hash: D4219F72500204AEE7219F55DC84FABFBACEF28714F04845BEA458A751D764E9088BB2

Function 04D2322F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D232AB

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: b86b150fb6a6cb6819e4410b2611f3fe8a9672868c54b94e2e6ef8bd04a0080f
Instruction ID: efa90bfb0783f8b7b94db588b335ccf6f8d038984dbfcd693bdb9d250a27b354
Opcode Fuzzy Hash: b86b150fb6a6cb6819e4410b2611f3fe8a9672868c54b94e2e6ef8bd04a0080f
Instruction Fuzzy Hash: E421C2715093806FD721CF25CC45FA6BFB8EF16214F08849AE944CB252D364E908CBB2

Function 00CDADCE Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDAE4D

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4e35ffea5651912e80ad3d920e5c8abdaf632201fe8e7f6d471e52dc7a7ba9d0
Instruction ID: 0968067f25825940cf5658ba90c399f4248539d3f669369bc65a9f3c6a6ce68b
Opcode Fuzzy Hash: 4e35ffea5651912e80ad3d920e5c8abdaf632201fe8e7f6d471e52dc7a7ba9d0
Instruction Fuzzy Hash: A521CF72504340AFE7228F51DC44FA7BFA8EF55324F04849AEA448B652C365A908CBB2

Function 00CDA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CDAA44

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d462386dc22b6bc61619edff1ef6c0c91e46edd7e94e5298e1cbf7c507c13927
Instruction ID: 0d7550bc295117021fe018c98eb10da00cdf35c532e4fdad21f3ea0c8ef563ca
Opcode Fuzzy Hash: d462386dc22b6bc61619edff1ef6c0c91e46edd7e94e5298e1cbf7c507c13927
Instruction Fuzzy Hash: 9621486540E7C0AFD7138B258C64A51BFB4AF57624F0E81DBD9848F6A3C2689D09CB73

Function 00CDAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDACBD

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 805881e559687f3473e7f00970f8d7a491ce4e5952c955fba7f8dd738e99f423
Instruction ID: c6b40020f95d6a970bed3668405dc1039053b6f89460686d15c6bd2a85272d0c
Opcode Fuzzy Hash: 805881e559687f3473e7f00970f8d7a491ce4e5952c955fba7f8dd738e99f423
Instruction Fuzzy Hash: 4821C3B55093806FE7128B11DC40BE2BFB8DF56324F0880DBE9848B293D265A909D772

Function 04D21F79 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D21FFC

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 89002c1edac025d2b379e52986a6db763d567fd14535fe3cad2ef032e6dfc795
Instruction ID: 749d03de2aed7d187e42bbaaa360b53ad645f321d3bec8986466d5daee7aaa97
Opcode Fuzzy Hash: 89002c1edac025d2b379e52986a6db763d567fd14535fe3cad2ef032e6dfc795
Instruction Fuzzy Hash: 4F2195715093846FD722CB50CD44B96BFB8EF56314F0884DBE9449B252D369A548CB72

Function 00CDAFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00CDB01D

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 153f684867e5b58ce774c565afa398c0e9b81abde7405cca6c8d18e0924720cf
Instruction ID: 14946e6e1e8630d62da099dcf6a7210910070ad9d3cd22b2e435e100d4befa0e
Opcode Fuzzy Hash: 153f684867e5b58ce774c565afa398c0e9b81abde7405cca6c8d18e0924720cf
Instruction Fuzzy Hash: BE217FB1600200AFE720DB25DD85BA6BBE8EF18714F04846AEE498B751D775E908CB72

Function 00CDA140 Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00CDA1C1

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c7ea9111348c92aa74dde6a6dea5fd598d4d42dbfc5c7fbe7b3b58e648e8b173
Instruction ID: 588040f3b10d05bb97d282932ca0696cafb83f80d53cb80cac7181f62ee61d70
Opcode Fuzzy Hash: c7ea9111348c92aa74dde6a6dea5fd598d4d42dbfc5c7fbe7b3b58e648e8b173
Instruction Fuzzy Hash: 9E21AF7240D7C09FD7238B20CC54A52BFB4EF07210F0984DBD9848F1A3C279A919DB62

Function 04D22F9B Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D23017

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: f17c87f1553e2781c12738f325da1d3943aede492da1eee9bc5a426eb6024479
Instruction ID: dd83dd891e67edc10b7df04f16a9aa1d6a3a9d8b7b0d991a62a20a87513f011a
Opcode Fuzzy Hash: f17c87f1553e2781c12738f325da1d3943aede492da1eee9bc5a426eb6024479
Instruction Fuzzy Hash: 5921A1715093846FD722CF21CD44F96BFB8EF56214F08849AE9499B252C375E508CBB2

Function 00CDB27E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDB2F8

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cab1588493735da17b2e16d6a9f336f945b0417401dfefe40dc19a926a54853c
Instruction ID: 07784a2c2ebac3a7284870582595ea23c3c5ed10f38dfd0e886c0237a7bf10f3
Opcode Fuzzy Hash: cab1588493735da17b2e16d6a9f336f945b0417401dfefe40dc19a926a54853c
Instruction Fuzzy Hash: 63218E76600604AFE720CF15DC85FABB7ECEF18714F04846AEA45CB751D764E948CAB1

Function 00CDB719 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00CDB78E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 07b7654401477140b08e1e0bf0ee023dbbf88984c69ea8b4e06c2bc0e71b8375
Instruction ID: fb1c38eedf70149d65439bcac91bd2e12acf0c4402891e2089467a33c2e24be7
Opcode Fuzzy Hash: 07b7654401477140b08e1e0bf0ee023dbbf88984c69ea8b4e06c2bc0e71b8375
Instruction Fuzzy Hash: ED216D716093809FDB228F25DC54BA2BFE8EF56210F09849AED85CB252D225E808DB71

Function 04D22313 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04D22392

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 2645f7c2ef9cde818682e63c61f4cface6724351d4665b10cfc9e55b537c5ddc
Instruction ID: 36198c109fd8d7b1542ac73bca4b8ea89d74ede0154e4216dae1a036052875b5
Opcode Fuzzy Hash: 2645f7c2ef9cde818682e63c61f4cface6724351d4665b10cfc9e55b537c5ddc
Instruction Fuzzy Hash: A921AF75009380AFDB22CF60CC84A92BFF4EF06310F0984DAE9858F162D375A809DB72

Function 00CDB897 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00CDB908

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5a05bc706270f586a672684066f217a68077d4a29aff477ff2a253f528ec292f
Instruction ID: eee0533723e38e4827debd24c683bc1b67448535d745acde8c18c747291c0a2c
Opcode Fuzzy Hash: 5a05bc706270f586a672684066f217a68077d4a29aff477ff2a253f528ec292f
Instruction Fuzzy Hash: 73219FB25093809FD7128B25DC55B52BFB8DF06314F0984DBED85CF293D264A908CB62

Function 04D21D02 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04D21D76

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 51086dd8855184c759528a5390e675e8d44b565a52b2040c3f023e16395b93b0
Instruction ID: cab5e1f0ee55b29fb05544e8d672d8f156dcaa218293e28325491c21c8d479e5
Opcode Fuzzy Hash: 51086dd8855184c759528a5390e675e8d44b565a52b2040c3f023e16395b93b0
Instruction Fuzzy Hash: 2421C371500204AFE721CF15CD85F9AFBE8EF18228F048469E9898B651D375F509CBB2

Function 04D21726 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04D21792

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1702528d536f468509d1af224475a53a31d2aa6a816f6daa07e86a6b45ecd089
Instruction ID: e5ff696eff0deb9a10f4f0280fcc77937836e2fd524f8fe4ee0320cfb19ffd6f
Opcode Fuzzy Hash: 1702528d536f468509d1af224475a53a31d2aa6a816f6daa07e86a6b45ecd089
Instruction Fuzzy Hash: 2621CF71500204AFEB21CF65CD84BA6FBE4EF18324F04886AE9858B651D375F408CB72

Function 04D225D2 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04D2265B

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8d260e02f258e399c3b3dc282cfac8fefa1ac02fce4bd55b98a875a3a0989fe9
Instruction ID: 6b6eb8ec11e148363d222c91b751aa4aac5ecc83a90b3e96961d1da553325baa
Opcode Fuzzy Hash: 8d260e02f258e399c3b3dc282cfac8fefa1ac02fce4bd55b98a875a3a0989fe9
Instruction Fuzzy Hash: 6F11E4711053406FE721CB11CC85FA6FBB8DF16324F04809AF9489B292D364E948CB62

Function 00CDB45A Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E24), ref: 00CDB4D5

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 5296ed5f59be89e34765d477fbf7063ee9148cff6a9daf4e1d92ff7b2b58a929
Instruction ID: c29311f10f0f6c0d8f06e23e536dacccc1a8a970b74f5468ff07a1f6bbacd21a
Opcode Fuzzy Hash: 5296ed5f59be89e34765d477fbf7063ee9148cff6a9daf4e1d92ff7b2b58a929
Instruction Fuzzy Hash: D821A271500600AFEB318F51DD40FA6FBA8EF18714F14886AEE498A651D375E918DBB2

Function 04D21A66 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D21AD8

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: edcb9f14f165b5711b7d4bf8296d6bba184ca3ac937f6f7a0d96b34d98020f01
Instruction ID: 6a6e32db7b8537e8c4bde11c07b2ac7577d38eecb37f54db5bb41c53cf6e0c4e
Opcode Fuzzy Hash: edcb9f14f165b5711b7d4bf8296d6bba184ca3ac937f6f7a0d96b34d98020f01
Instruction Fuzzy Hash: 9C11AF76600600AFE720CF55CD80FAAF7E8EF18718F08C56AE9458A651D760F508CAB1

Function 00CDB94F Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00CDB9BF

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e54bff45dbbd3437ad4593cab7287178866cd038fc4e41c05b5e2395cb6b287a
Instruction ID: eada92385e69130082810cfb81ccc6916824c3f87af4b41f96dcc0e248e9e54e
Opcode Fuzzy Hash: e54bff45dbbd3437ad4593cab7287178866cd038fc4e41c05b5e2395cb6b287a
Instruction Fuzzy Hash: D32181755093C09FD7128B25DC95B96BFF8EF06320F0984DBE945CB262D264A905CB62

Function 00CDB372 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDB3E4

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8f802efc71e7e6f4c1894b59f314fc8c97f5b35c6c1ba8ca868d4b3838db4983
Instruction ID: fbff68b0242c117bee8b9343c0d0cd430a97981de450a391abf97667910e30a7
Opcode Fuzzy Hash: 8f802efc71e7e6f4c1894b59f314fc8c97f5b35c6c1ba8ca868d4b3838db4983
Instruction Fuzzy Hash: 8F11B176600600AFE7208F15CC41FA6BBE8EF18714F04846BEA458A752D774E9089AB1

Function 04D22176 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D221D5

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 87e4ea1520ba6b7a9eb1beb1be30c7360ef9001b1b65cd4a12a04abacb2e9fa7
Instruction ID: 0a678d15975b1665b32cd43e1a9939be575450664a151d5d105ccd170e9c3176
Opcode Fuzzy Hash: 87e4ea1520ba6b7a9eb1beb1be30c7360ef9001b1b65cd4a12a04abacb2e9fa7
Instruction Fuzzy Hash: AB11D371600200AFEB21CF55DD84FA6BBE8EF18318F04886AFE45CB651D775E4088BB2

Function 00CDBC06 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00CDBC6E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c927bd416446a21d262a3774609f954aa701128b78c58a310cda0429a64b3763
Instruction ID: 85cf5ee0601dc5a47bf84f0dae61de775ce660752be4052672ab1089fe7a0a75
Opcode Fuzzy Hash: c927bd416446a21d262a3774609f954aa701128b78c58a310cda0429a64b3763
Instruction Fuzzy Hash: 60118EB16043809FDB21CF25DD84B66BFE8EF56220F0884AAEE45CB252D275E904CB61

Function 04D23252 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D232AB

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 8b6f4da5d1b7ba8336c2aff3ac7e286569c46c6943669ff963ac11d25748365d
Instruction ID: 78d076c00a2c72411dcc93b12b536bd38013e19290733909bdba3a23233c73df
Opcode Fuzzy Hash: 8b6f4da5d1b7ba8336c2aff3ac7e286569c46c6943669ff963ac11d25748365d
Instruction Fuzzy Hash: E111C471600240AFE720CF69DD85BA6BBA8EF14328F04C46AED45CB641D774E5088BB2

Function 04D2316E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D231C7

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 8b6f4da5d1b7ba8336c2aff3ac7e286569c46c6943669ff963ac11d25748365d
Instruction ID: 7994334d9c34eb0c454cd6939a0c610ea814e124576de8de5ef51c59e01759b7
Opcode Fuzzy Hash: 8b6f4da5d1b7ba8336c2aff3ac7e286569c46c6943669ff963ac11d25748365d
Instruction Fuzzy Hash: AD11E771600214AFEB21CF65DD84BA6FBE8EF54328F04C46AED45CB641D775E5088BB2

Function 04D211C2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D21218

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: c86b6fed84e128e1c63b06f924c210048af72c1d40554a1b3a8ff4bbfebe0c2b
Instruction ID: 1050a4f01de49e7f43ee4d59ece7f64f28577d98461b8d78e54c93ecf2c7a3df
Opcode Fuzzy Hash: c86b6fed84e128e1c63b06f924c210048af72c1d40554a1b3a8ff4bbfebe0c2b
Instruction Fuzzy Hash: 3911E371600200AFEB20CF15DD85BAAB7A8EF54628F04C46AFD49CB641D774E5088AB2

Function 04D20CFA Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D20D64

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f8b9fbfd5bb0e073f3e744b48382e14398d9456778b61afa11655e17fbd17da4
Instruction ID: fb99b14d589b992b277ea9c2f9fdc4c23a659282eb67dd02c8a7670aae7522df
Opcode Fuzzy Hash: f8b9fbfd5bb0e073f3e744b48382e14398d9456778b61afa11655e17fbd17da4
Instruction Fuzzy Hash: F611B676600604AFD7218F15CD80FA6FBE8EF18714F04845AEA458AA51D375F508CAB1

Function 00CDA433 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDA49E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c9af39a62bbaa055ac61f8dd38dd9f9a1e833bfa6f8f57e5adadd0f5c2ec318a
Instruction ID: 901df2d923a295596697ec3ae3c437ecc22f97d68b424c03716b513233bd4450
Opcode Fuzzy Hash: c9af39a62bbaa055ac61f8dd38dd9f9a1e833bfa6f8f57e5adadd0f5c2ec318a
Instruction Fuzzy Hash: 62117571409780AFDB228F51DC44B62FFF4EF4A314F0884DAEE858B552C275A519DB62

Function 00CDADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDAE4D

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bb17bcb8337850ebc02cdd986a9e3159cee16b0a955ac336d2b30362aa406263
Instruction ID: ec4e5f01e10d0fff23b381faaf72bd2c4483ee4f34b93df4022b7959cfc81e82
Opcode Fuzzy Hash: bb17bcb8337850ebc02cdd986a9e3159cee16b0a955ac336d2b30362aa406263
Instruction Fuzzy Hash: 0A11B271500200AFEB21CF55DC44FA6FBA8EF18714F04886AEA498B651C375E518CBB2

Function 04D22FBE Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D23017

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: bf28e99d8af3f6577e8ace8bb068268b7d589f47e8d3142ddddfa2da0023708d
Instruction ID: faa670a14e3fe21cee1867dc845f22f1e3d1d8732acf5b3991280b9a7fb2d5e2
Opcode Fuzzy Hash: bf28e99d8af3f6577e8ace8bb068268b7d589f47e8d3142ddddfa2da0023708d
Instruction Fuzzy Hash: BA11E771600200AFE721CF25CD84BA6F7A8EF54318F04C46AED498B641D375E5088BB2

Function 04D21FA6 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 04D21FFC

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 9b061ed7e36f4397ea0ba682a9aeb468b0ecbbad38194bbfaabc091320b385b7
Instruction ID: b5fbaac5c2a298f7e6a47199aad7f187082f1c24d0712085e84c35bbd63420cb
Opcode Fuzzy Hash: 9b061ed7e36f4397ea0ba682a9aeb468b0ecbbad38194bbfaabc091320b385b7
Instruction Fuzzy Hash: 5F11C671600214AFE720CF15DE84BA6B7A8EF54728F04C4A6ED448B641D775E508CAB6

Function 04D225F2 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04D2265B

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 59db07e99c0156c9b2c71dec9582b51c5802334885f8d92b99226ffbe37947d1
Instruction ID: a2a97d957ac838e06a9248f8b6ac5dbc9a75d4aa7c524e626dcf9d60a41bd1f6
Opcode Fuzzy Hash: 59db07e99c0156c9b2c71dec9582b51c5802334885f8d92b99226ffbe37947d1
Instruction Fuzzy Hash: 4C11E971600200AEE7208B15DD85FB6F7A8DF14718F048099FE445A781D3B9F548CAB6

Function 04D2309A Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04D230F0

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: b88e63df7240a7e0b326719a76253be956649276bb0d80a5cefaf2799daa9cf5
Instruction ID: aa440bdef5d4bfcc46c76a3fb215985c1b666a1e2bf52e492d2de5d9a684f1e9
Opcode Fuzzy Hash: b88e63df7240a7e0b326719a76253be956649276bb0d80a5cefaf2799daa9cf5
Instruction Fuzzy Hash: A0115B757002149FDB20CF29DA84B96FBE8EF18714F0884AADD49CB251D379E448CB72

Function 00CDB746 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00CDB78E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 478d4fb58341a67091f7fc474dc9e9eb7464c2b3eb910309f192b40bcedae752
Instruction ID: 78ed0c7788550a2ad129ed76e5d4ec1bd28220d6ed3b91ce94cdaba1cf6691da
Opcode Fuzzy Hash: 478d4fb58341a67091f7fc474dc9e9eb7464c2b3eb910309f192b40bcedae752
Instruction Fuzzy Hash: 6F115A75600200DFDB20CF2AD985B56BBE8AF55720F0984AADE09CB741D374E9048A72

Function 00CDBC26 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00CDBC6E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 478d4fb58341a67091f7fc474dc9e9eb7464c2b3eb910309f192b40bcedae752
Instruction ID: 585f642c6f85a226c96dafa521d2cc1a87f9ca55533dbc13ce32f0bc41c2108a
Opcode Fuzzy Hash: 478d4fb58341a67091f7fc474dc9e9eb7464c2b3eb910309f192b40bcedae752
Instruction Fuzzy Hash: 87117C716002008FDB20CF2AD985B66FBE8EF44320F0884ABDE09CB751D775E904CA62

Function 00CDAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,1A30CFE9,00000000,00000000,00000000,00000000), ref: 00CDACBD

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2f555f2578a6afa3f4e1b010ac615843ff18f4c38424c74a5533a50460d1a29a
Instruction ID: 21f939343fa3938db37e639f970933fa001bef529418e466694689d2f84b0e09
Opcode Fuzzy Hash: 2f555f2578a6afa3f4e1b010ac615843ff18f4c38424c74a5533a50460d1a29a
Instruction Fuzzy Hash: 5501D275604200AFE720CB15DD84BA6F7E8DF58724F14C4A7EE088B781D775E9088AB2

Function 00CDBAAC Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00CDBB00

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: e60bf135b462a87388aad8979cde7d401ec1cca3d84613579daa9784247b624a
Instruction ID: 8a3226ac3e13b8312583fa06c6c1361d6aa123e1065bff9b598af0a93e1bf269
Opcode Fuzzy Hash: e60bf135b462a87388aad8979cde7d401ec1cca3d84613579daa9784247b624a
Instruction Fuzzy Hash: 0B11A5755097809FDB128B25DC84B52FFB4DF06220F0980DBED858B262D275A908CB62

Function 00CDB67C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 00CDB6D3

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: 88742cc650f3c4ef510affea376871cca1c44f727c1033744c80df90c2ab605f
Instruction ID: 28c5a376d3ac0f99fe3224240cdbbd2d76e98bb58131ad6568238cf0ac74911a
Opcode Fuzzy Hash: 88742cc650f3c4ef510affea376871cca1c44f727c1033744c80df90c2ab605f
Instruction Fuzzy Hash: 8D119E715083809FDB21CF25DD84B52BFB4EF46320F09849BED458B262D279A908CB72

Function 04D200FE Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,1A30CFE9,00000000,?,?,?,?,?,?,?,?,6C8C3C58), ref: 04D2013E

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: b4686fcfac5e4d108f10a0ca333fe905aca3fc0f4fda71964a60e140ec1d3a68
Instruction ID: 2eea33c63ed88b21a78328591e0255421dfa66f2862abfa94c2e20dbb25e3dc7
Opcode Fuzzy Hash: b4686fcfac5e4d108f10a0ca333fe905aca3fc0f4fda71964a60e140ec1d3a68
Instruction Fuzzy Hash: A511A1716002049FDB22CF29D984B96FBE4EF14324F08C4AADE49CB651D375E408CF62

Function 04D22346 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04D22392

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: cba78b23eb4bd7ec084a6c37cbf9d4345338bd8ae6ae56690761a22f5646ac12
Instruction ID: 4ea921e6b8bc7269bddb56571e6dd917c328e8e23f921afe56efb018e4477097
Opcode Fuzzy Hash: cba78b23eb4bd7ec084a6c37cbf9d4345338bd8ae6ae56690761a22f5646ac12
Instruction Fuzzy Hash: F1115E315046049FDF20CF55D984B56FBE4EF08314F0888AAEE858B651D375E418DF72

Function 00CDB982 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00CDB9BF

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e645c4c779da1cbd73e76f572a1a032c64e49624114aa2722b47103e18ecf8f6
Instruction ID: 5371ac3e4ae32f6a0715d80b1c6020c38943e411bd6c5258ed12515b6d8de4e4
Opcode Fuzzy Hash: e645c4c779da1cbd73e76f572a1a032c64e49624114aa2722b47103e18ecf8f6
Instruction Fuzzy Hash: CC016D716052409FDB10CF2AD985766BBE4EF05320F0884AADE45CB752D375E9048A62

Function 00CDB8CE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00CDB908

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6d4307d9e9761e4e873c998a5f3de2807388df0a51b4f100a6afc0a6d13c27a8
Instruction ID: 4477dd1a42bf9b605fdc30a2e07973240c93cd4946ce17b7b9f0f3062b38fbc2
Opcode Fuzzy Hash: 6d4307d9e9761e4e873c998a5f3de2807388df0a51b4f100a6afc0a6d13c27a8
Instruction Fuzzy Hash: 50018C71A042408FDB10CF2AD9857A6FBE8DF05720F0884ABDE09CB742D375E904CA62

Function 00CDA45A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDA49E

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 05554e143692dc8ad87b829ff6d858baf32c2578a0654fd6c3afa3506e11ec94
Instruction ID: bbbeff73f2b9b34d1fb7a24dbac2cce382b77fbf55df3fccbe3fe67d9c13b5a9
Opcode Fuzzy Hash: 05554e143692dc8ad87b829ff6d858baf32c2578a0654fd6c3afa3506e11ec94
Instruction Fuzzy Hash: FC016D325047009FDB218F55D984B66FBE0EF48724F08C8AAEE4A4A651C3B6E418DF62

Function 04D2168A Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04D216DA

Memory Dump Source

Source File: 00000002.00000002.4480454131.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d20000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a11e2bee644b41e23875af0554927c6b3d989fa709020975f17a69a329addc62
Instruction ID: cb746d3795075b941d639f8b1768f7c7d96a65ac94195a76ad56206270ed1e4a
Opcode Fuzzy Hash: a11e2bee644b41e23875af0554927c6b3d989fa709020975f17a69a329addc62
Instruction Fuzzy Hash: 3B01A271500200ABD310DF16CC46B66FBE8FB88A20F14811AED089BB41D771F915CBE6

Function 00CDA186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00CDA1C1

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 980b6f5225c3cfb72b2eb54ee6201f922466bf8910f620082e96c48206a1cab7
Instruction ID: 596f34876dddfc391e6adb30bd5beb2fdcf0180cfaa74e7d242dc23854e96e45
Opcode Fuzzy Hash: 980b6f5225c3cfb72b2eb54ee6201f922466bf8910f620082e96c48206a1cab7
Instruction Fuzzy Hash: 47018C32504240DFDB20CF55D984B66FBE0EF09320F0888AADE498A611C375E418DBA2

Function 00CDB69E Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,?), ref: 00CDB6D3

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: IdleInputWait
String ID:
API String ID: 2200289081-0
Opcode ID: cce71f2e89e5e493caa0f41018867386caae0cae106715960df0520bf7d71cf5
Instruction ID: 7806cdaebcec63ddd40387ad7779b35dc2cf08394703726a9975c0ac998195bb
Opcode Fuzzy Hash: cce71f2e89e5e493caa0f41018867386caae0cae106715960df0520bf7d71cf5
Instruction Fuzzy Hash: D9015A759042409FDB208F16D984B65FBA4EF44324F08C4ABDE498B352D375E904CAA2

Function 00CDBACE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00CDBB00

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 87069317e663cf7e37a88efbde62b67163685cd8585acb41449817e96d186de2
Instruction ID: 64c48cb51243c7b03ae91959f0875e753d84682ec3fdcff7818e17895130ccd8
Opcode Fuzzy Hash: 87069317e663cf7e37a88efbde62b67163685cd8585acb41449817e96d186de2
Instruction Fuzzy Hash: 1D01F435600600DFDB208F1AD9847A2FBE4DF05320F08C0ABDE098B756D3B5E948CEA2

Function 00CDAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CDAA44

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5133f759cae805fd62053180e1c311d744efd60f388eef95cd418a42ff5367d4
Instruction ID: 9d693d45830831ade86ed0cb85ba967e48e429ad143e0bd275331749619babe1
Opcode Fuzzy Hash: 5133f759cae805fd62053180e1c311d744efd60f388eef95cd418a42ff5367d4
Instruction Fuzzy Hash: 4AF0AF355046409FDB208F16DA84BA1FBE0EF04724F08C5ABDE494B752D379E908DEA3

Function 00CDAB7C Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDABF0

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5df725547031c9cca34baf86568855b516b5fa3283a67129a0d3aa5bfe07c5fc
Instruction ID: ef24d80a62000f1bc34aab2413749ab8aba7f631d1d1f5c295778cfb0d328ccf
Opcode Fuzzy Hash: 5df725547031c9cca34baf86568855b516b5fa3283a67129a0d3aa5bfe07c5fc
Instruction Fuzzy Hash: 5E21D1755093809FD7128B25DD91792BFA8EF06320F0984DBED858F2A3D2659909CB62

Function 00CDBE3C Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDBEA8

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 30ac9d30227c75d3e058a8b3a96899ce15644d72fd7018bf9ca6d40bc117ff35
Instruction ID: 4e7c615c03dc7a614bb9a1842604762521778b0d20592dfda5730afd0cd7ab14
Opcode Fuzzy Hash: 30ac9d30227c75d3e058a8b3a96899ce15644d72fd7018bf9ca6d40bc117ff35
Instruction Fuzzy Hash: 2D21A1715093C05FDB12CB25DC54B92BFB4AF07324F0984DBE9858F663D265A908CB62

Function 00CDA4DE Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDA550

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: be88230203cf1fd4a39f26f8396a849c6d6b3b70fe1c2ed9d7900b2401407af7
Instruction ID: 996b6e11d88eee4af354797c47e9b0b6bc485ce66f370c15bee42fe199cbebf0
Opcode Fuzzy Hash: be88230203cf1fd4a39f26f8396a849c6d6b3b70fe1c2ed9d7900b2401407af7
Instruction Fuzzy Hash: E721387150E3C45FDB128B259C94A92BFB4DF07224F0984DBD9858F2A3D2699908DBB2

Function 00CDBE76 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDBEA8

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 86cc5e7bab4c89a6b306c1b25e46aa6a7159f1aeacdf62743ce8438290f13aa0
Instruction ID: 33a74a0b76f46411b013b1e0cb12673f4289830733c4286306241c493d3130cf
Opcode Fuzzy Hash: 86cc5e7bab4c89a6b306c1b25e46aa6a7159f1aeacdf62743ce8438290f13aa0
Instruction Fuzzy Hash: 630171756042408FDB10CF1AD984796BBE4DF05724F08C4ABDE498BB52D375E908CAA2

Function 00CDABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDABF0

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8098696c10d4f2bbca4973758a996dfac3f03fa44b5a23f9409d1decf9c568f6
Instruction ID: b98da936bfd1566907e91ac655c20fc21264d52efe237e1dface08740e78f8c4
Opcode Fuzzy Hash: 8098696c10d4f2bbca4973758a996dfac3f03fa44b5a23f9409d1decf9c568f6
Instruction Fuzzy Hash: 170184756042449FDB10CF16D9857A6FBE4DF45324F08C4ABDE058B751D275E504CE62

Function 00CDA51E Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CDA550

Memory Dump Source

Source File: 00000002.00000002.4478337591.0000000000CDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cda000_server.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b2caec3eff3b00717f04881944c48ce7d2bcaa631c4b612446ed24121da7ed39
Instruction ID: 4e0f32200ad8692c638960ed30cfb48d0bf2b279bc6814ffa62349fa3bb3aaf4
Opcode Fuzzy Hash: b2caec3eff3b00717f04881944c48ce7d2bcaa631c4b612446ed24121da7ed39
Instruction Fuzzy Hash: C6018F715046409FDB10CF15E984765FBA4DF04324F08C4ABDE098B352E375E504CEA2

Function 04EC8598 Relevance: 1.2, Instructions: 1243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c2077c39c90411950bab74959f7583a61cbc11eb1c810e2b2a16d296ca319e
Instruction ID: 6f1ebe9af477c218ad25b51546668fd1a37c236751efabc25f0d747fb2ec7183
Opcode Fuzzy Hash: 50c2077c39c90411950bab74959f7583a61cbc11eb1c810e2b2a16d296ca319e
Instruction Fuzzy Hash: 20C2A074700294CFEF30AB29DA407BD77B2BB68308F0085AA985597785DB34ED66DF21

Function 04EC864E Relevance: 1.1, Instructions: 1076COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a85f17590bda1b553f94b829378315fde623a309cfb9b12507105acb2c6ebe9
Instruction ID: 5ebcea313693452ab16cc59e6e78daea1706b9f2c433d3e1cdee8af442cbaef0
Opcode Fuzzy Hash: 2a85f17590bda1b553f94b829378315fde623a309cfb9b12507105acb2c6ebe9
Instruction Fuzzy Hash: 4192E4747002A09BDF316B29DA117BD37A6BBA830CF0084BE945593795CB34ED6ADF21

Function 04EC867D Relevance: 1.1, Instructions: 1075COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9faed441586f1ac30143ede62f3c2b000ce960c370a5f58334a5891c68b5d943
Instruction ID: 436c94f4a1accdfd2c7335bd8f85f4d69abb4b09803391cf0037986097fb4c3a
Opcode Fuzzy Hash: 9faed441586f1ac30143ede62f3c2b000ce960c370a5f58334a5891c68b5d943
Instruction Fuzzy Hash: 9B92E3747002A09BDF316B29DA117BD37A6BBA830CF0084BE945593795CB34ED6ADF21

Function 04EC57A1 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23eacc80afa3a19a7622da85407edec2f2583c353c6053ae5519fc8369c545f6
Instruction ID: 62b14b89ae8f2fb70a45d15c9f4a11dd330b16852d83ed4c1f2d4400dd205cb7
Opcode Fuzzy Hash: 23eacc80afa3a19a7622da85407edec2f2583c353c6053ae5519fc8369c545f6
Instruction Fuzzy Hash: 30A23775A01228CFDB25EF34C954BA9B7B2FB58304F1081E9D9096B3A5DB35AE81CF50

Function 04EC5A8F Relevance: .8, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c038b310334e12648c3476ca12b1f6bc701a6617198f464ffaf679db62c795
Instruction ID: b0dbff907aa61e9ba6b5cf2de7b92f242cb91e3e32cd5e749e2a645174974b39
Opcode Fuzzy Hash: 47c038b310334e12648c3476ca12b1f6bc701a6617198f464ffaf679db62c795
Instruction Fuzzy Hash: 7D923875A01228CFDB25EF34C954BA9B7B2FB58304F1081E9D9096B3A5DB35AE81CF50

Function 04EC5D7D Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb88d0236176ab439426f9e90c0d896d0680e3a60cf4d3b3f2ca3fcdf8e477d
Instruction ID: 2ae6c5148f3d990c61a6bd04243cb290a68a5dd6f8e16197fe784c7966dab9da
Opcode Fuzzy Hash: ebb88d0236176ab439426f9e90c0d896d0680e3a60cf4d3b3f2ca3fcdf8e477d
Instruction Fuzzy Hash: C3725A75A00228CFDB25EF34C954BA9B7B6FB58304F1081E9D9096B3A5DB35AE81CF50

Function 04EC5EF4 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fa8ccac66f851204fed590f894d2a930c9d569cee8a707ce5ba289f5e83835
Instruction ID: adfd1fa366752a3acdf219298e6bca4284b42a378afa95ede815a98991bdab4c
Opcode Fuzzy Hash: 07fa8ccac66f851204fed590f894d2a930c9d569cee8a707ce5ba289f5e83835
Instruction Fuzzy Hash: E6623A75A00228CFDB25DF34D994BA9B7B6FB58304F1081E9D809AB395DB35AE81CF50

Function 04EC606B Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123021badb1b65c9d580527a55599ce35633d03e1b9a4098dc3887e7681fe965
Instruction ID: 8886d2b916d2a9cd3706700ff5ad4c5e6a775b083bfc81d132a80349c17f33cb
Opcode Fuzzy Hash: 123021badb1b65c9d580527a55599ce35633d03e1b9a4098dc3887e7681fe965
Instruction Fuzzy Hash: 1C522975A01228CFDB25DF34D994BA9B7B6FB58304F1081E9D809AB395DB35AE81CF40

Function 04EC61E2 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f256efb104f04b21bd6ba0bf70e709b8cf4e645287d6a040bd932321f9ccac6
Instruction ID: 42841478275d4e4b351e2938be82bc979db431328934d60e68e622fc57efc26e
Opcode Fuzzy Hash: 6f256efb104f04b21bd6ba0bf70e709b8cf4e645287d6a040bd932321f9ccac6
Instruction Fuzzy Hash: 38423A75A00268CFDB25DF34C994BADB7B5BB58304F1081EAD809AB394DB35AE81CF40

Function 04EC0AE1 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf748f1d6680c463b9279d7c63070bca82b31a22d4b6e83ecf9d28ea7c9b789
Instruction ID: 34077b39a3056f2e00981617ecc32e3523fa44a85f2f5a12b6e5b6eab4c2955c
Opcode Fuzzy Hash: ccf748f1d6680c463b9279d7c63070bca82b31a22d4b6e83ecf9d28ea7c9b789
Instruction Fuzzy Hash: CA323731A00258CFCB24EF74C955BEDB7B2AB59308F1045ADD509AB3A4DB799E82CF50

Function 04EC6483 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80989f67148547f2bfb8cf55517e995c1d2f6f08a9960544ce49d1ff56104106
Instruction ID: 18f4fc3cb77b7965be5ca851b339e0f136cd78d836de6f2405929640391df981
Opcode Fuzzy Hash: 80989f67148547f2bfb8cf55517e995c1d2f6f08a9960544ce49d1ff56104106
Instruction Fuzzy Hash: 74222975A00268CFDB25DF34D994BA9B7B5BB58304F1081EED819AB395DB35AE81CF00

Function 04EC67A9 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1313a17a8f8d5a41b07c5ffd28f3aaf53272e66c51259c9282d82b6859e2ad99
Instruction ID: e73e3fd8ede226e43fdf4f8f23ee668e65a7b22c2e65eded69ca58503874cff9
Opcode Fuzzy Hash: 1313a17a8f8d5a41b07c5ffd28f3aaf53272e66c51259c9282d82b6859e2ad99
Instruction Fuzzy Hash: A2023A75A00268CFDB25EF34C994BA9B7B5BB59304F1081EAD909AB394DB359E81CF40

Function 04EC9BC0 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712642df8374c9319dd01e3472dcb7ca0dd8a41be7b2d609fe6b1c4aa55973d2
Instruction ID: c8a0231d1279a8450fa451bc9a5395b4e70a2eba48f7ea8cd94b41ecb67e5f42
Opcode Fuzzy Hash: 712642df8374c9319dd01e3472dcb7ca0dd8a41be7b2d609fe6b1c4aa55973d2
Instruction Fuzzy Hash: EED15132F00204DFCB29EF74E9516AD77B6AFA8348B20856DE41597369DF399C12CB90

Function 04EC8160 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbfbd053afc005325c394fc0ae6de2e0f5602990f8ceec83f531fad9b4916a7
Instruction ID: 1c952c410eae7cf2656e2d99bdc8dd19f96a296079d6b4feef285c8d693c9ddb
Opcode Fuzzy Hash: abbfbd053afc005325c394fc0ae6de2e0f5602990f8ceec83f531fad9b4916a7
Instruction Fuzzy Hash: 28A1B0327002018BD724EB39DB44BAD33A6BB94359F14963CE4259B7D5EB35E802CB91

Function 04EC9BAF Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8a44bc1d40be76e87a20cf9367f21f79ab2c35d8c62808b2d91f340b399c9b
Instruction ID: 01b19ddf11ef1cca8f33c2c6b992dcdf48b604234a2689ab245df6371140b23d
Opcode Fuzzy Hash: dd8a44bc1d40be76e87a20cf9367f21f79ab2c35d8c62808b2d91f340b399c9b
Instruction Fuzzy Hash: A9B15032B00204DFCB29EF74E9516AD77B2AFA8308B60856DE415977A9DF399C12CB40

Function 04EC9CC5 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f1f31b4ddcc5bbd2d217f12648cd616c4174614530e66ca5de35cd401e0f39
Instruction ID: 15c383325a2aa9542ca8c4636af6a382915a6e2a90c219a578639c2c9096eb53
Opcode Fuzzy Hash: 06f1f31b4ddcc5bbd2d217f12648cd616c4174614530e66ca5de35cd401e0f39
Instruction Fuzzy Hash: B4916131B00204DFCB29EF74E8516AD77B2BFA8308B20856DE415977A9DF399C12CB90

Function 04EC6A6B Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08a543d081424ddcb9950f6fca92e296ba931ef7d3d0da590bb3fcabcf2b0c6
Instruction ID: 108086e0b1aab272a584c438c970a88dc9111e5b244f6c13025901b2d5f448cb
Opcode Fuzzy Hash: b08a543d081424ddcb9950f6fca92e296ba931ef7d3d0da590bb3fcabcf2b0c6
Instruction Fuzzy Hash: 66B15F70A01264CFDB25EB34C955BAD77B5AF98308F1041EED509AB390DB799E82CF50

Function 04EC9D73 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e14ec1408b9d4bc71bda87258456b7633248bb46c44f601c8462177e43c9de5
Instruction ID: 8d665b6b3e4a5a30efe93312b91c85cd300ff85ffe713914cdd610ecf593ae42
Opcode Fuzzy Hash: 8e14ec1408b9d4bc71bda87258456b7633248bb46c44f601c8462177e43c9de5
Instruction Fuzzy Hash: D6815136B00204DFCB29EF74E85166D73B2BFA8308B50856DE415977A9DF399C12CB90

Function 04EC9DF5 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acee6458c108789f8fe3a795e8984dddbb91f186135bdf40052fd3156a28d000
Instruction ID: 239c55768b304bcfa7fb446eb6d11dc1475d1e60ba0fd79dcc64b535ac873dfd
Opcode Fuzzy Hash: acee6458c108789f8fe3a795e8984dddbb91f186135bdf40052fd3156a28d000
Instruction Fuzzy Hash: 60714032B00204DFCB29EF74E95166D73B2AFA8308B60856DE415977A9DF399C12CB90

Function 04EC10AC Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4c84778e745583d8c0971e22740ab5b45c8df9a1d6d018c4e9cf43553d2548
Instruction ID: 1b33f73268372575a9313bf0216b9613d07ceaff7f5eb0d1756205db662a2ff0
Opcode Fuzzy Hash: fb4c84778e745583d8c0971e22740ab5b45c8df9a1d6d018c4e9cf43553d2548
Instruction Fuzzy Hash: FEA1C535A00218CFCB65EF74D985BECB7B2BB58308F1085AAD919AB355DB359E81CF40

Function 04EC0C9F Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e17163bbba6f37095a3445d16ff906b9c829ec7ac614ba600a53e9f3801495c
Instruction ID: 926719483af9150297bb02ee4799dea22a563b77601f5d5999f0d481d49b03db
Opcode Fuzzy Hash: 8e17163bbba6f37095a3445d16ff906b9c829ec7ac614ba600a53e9f3801495c
Instruction Fuzzy Hash: BD816931A00258CFCB24EFB4C951BEDB7B2AF55308F0085AED119AB3A4DB795985CF51

Function 04EC9EE5 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c416d7f4170e40bae19cd8957b889d399b40a35c0e705cd2ae495d47171a3e9
Instruction ID: f1172053849fb7bbdf800573f38261ad6694fc12828f6b118326ae2a7ccd0552
Opcode Fuzzy Hash: 0c416d7f4170e40bae19cd8957b889d399b40a35c0e705cd2ae495d47171a3e9
Instruction Fuzzy Hash: F251A531B002149FCB29EF74E95176D73A6AF98348F10857DE411977A9DF39AC12CB90

Function 04EC0DF8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13b06deae6b65a0a68f8d429373244a91d583cb7c5f5139a98d95b955b86396
Instruction ID: d8ad8e36ca22a39c5767b1efaead08698a923a49a9d4e2bed9476f553218e219
Opcode Fuzzy Hash: f13b06deae6b65a0a68f8d429373244a91d583cb7c5f5139a98d95b955b86396
Instruction Fuzzy Hash: EA414931A00258CFDB24EBB4C945BECB7B2BF45308F1045AED009AB365DB785A45CF52

Function 04EC02C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fa6e401f5e632d2c8e6d88942cf1ce7e5f4e0dbdce4bcca1549ebd3007a5ef
Instruction ID: ef73917ed4de44c7403844ef6e7e82a6319e5b0b2ff35b85ee81b9f40d7b18e3
Opcode Fuzzy Hash: 91fa6e401f5e632d2c8e6d88942cf1ce7e5f4e0dbdce4bcca1549ebd3007a5ef
Instruction Fuzzy Hash: C631D332B002119FD724BB78D911BAE33A6AB9820CF10887DD505D77A5DF399D1AC7D1

Function 04ECA4C0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5511b18e86dba49092eca058bf424c550a2b5f8297cd23ddfdbd5d2d92b12f
Instruction ID: c7e84f1db03463418ac0754437e41803b360b12ab308c006d6219acb60417b3a
Opcode Fuzzy Hash: 3e5511b18e86dba49092eca058bf424c550a2b5f8297cd23ddfdbd5d2d92b12f
Instruction Fuzzy Hash: BA31B571B002099FDB14DB78D954BAEBBF2BF88214F14807DE405EB3A0DB74A9458B80

Function 04EC00B8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5c2c9a12e94698aa8926378ccb9a42152d52efdd875a017f733129a00544d9
Instruction ID: 804a3883a08c91b9b3730551b4f1de432109e612acc115d888e897939431154f
Opcode Fuzzy Hash: cc5c2c9a12e94698aa8926378ccb9a42152d52efdd875a017f733129a00544d9
Instruction Fuzzy Hash: D931D8327043805FD725E77598517AD3BA75BD2218F1484BED405CF3A1CF7A9C068792

Function 07272500 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4484892439.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7270000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a179d75f09798d3b2b7a11aaf8b7ddcd0523a7a75734913f3847db56ae72d8d
Instruction ID: de66f0b34a24786932bd74c883386017b3511f7f4771a33c4fe17725a245e7fe
Opcode Fuzzy Hash: 1a179d75f09798d3b2b7a11aaf8b7ddcd0523a7a75734913f3847db56ae72d8d
Instruction Fuzzy Hash: 6611CCB5A08341AFD350CF19D981A5BFBE4FB8C664F04896EF998D7311D231E9048FA2

Function 04EC74E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab41e71aed75ba8ea9d3a4441e477578573271e20d5ad86917a5acd9bda5aca0
Instruction ID: b05477bea5d85ca7b6f15f5fac3ff64563148166837065fece0c6a5bc717e3ca
Opcode Fuzzy Hash: ab41e71aed75ba8ea9d3a4441e477578573271e20d5ad86917a5acd9bda5aca0
Instruction Fuzzy Hash: 180168366192804FC326773898654693B72DB83305B1548FFD441CF367CB3A5C0AC762

Function 010D07E4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4479363112.00000000010D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e341044eeea330033e0b0b48c132283bb907ee6944466debd63c0f5c38532b
Instruction ID: 94eca284ce6d03880d8192ea7eb447b7177e7507869b04929bb9a9574bc9b2bf
Opcode Fuzzy Hash: 05e341044eeea330033e0b0b48c132283bb907ee6944466debd63c0f5c38532b
Instruction Fuzzy Hash: 7111D230604380DFD311CB14D581B25BBE5AB89708F24C9ACE5CD4B647C73BD802CA91

Function 04ECA1DF Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1148ed3f5139a9d1661cd2389328f176c6a85937dac9f9173a146a359fb97fc
Instruction ID: 7bcbf57eadd58dc96f284df4403cd734a027082bf4ecfe68ed15cb51cca7f62a
Opcode Fuzzy Hash: d1148ed3f5139a9d1661cd2389328f176c6a85937dac9f9173a146a359fb97fc
Instruction Fuzzy Hash: 5711E331E00205CFCB14DB78D80559DB7F6EFA925472085BDC409E7350EB359E02CB90

Function 010D07AC Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4479363112.00000000010D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875761ed14d39cbe9dc7b1da6eb17d87bfaecd953bbea7fc69f21d1282fdbf08
Instruction ID: e42be5ab7efe053fcd818414074947c1fd6395d9737c249f3e6dc8da8b45b1eb
Opcode Fuzzy Hash: 875761ed14d39cbe9dc7b1da6eb17d87bfaecd953bbea7fc69f21d1282fdbf08
Instruction Fuzzy Hash: 7F215C3550D7C09FD713CB24D951B11BFB1AB46604F298ADAE4888B6A3C33A9816DB92

Function 00CEB698 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4478435778.0000000000CEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cea000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebae4b7048f1108d0ed0c1b2eb81db09a774ce3cea99a1b68c79ed3662a0bb9
Instruction ID: e0e988d7f678ee53cd635fb664c29d4f31bd2ad31aaf7f1468d3d29f44513f42
Opcode Fuzzy Hash: eebae4b7048f1108d0ed0c1b2eb81db09a774ce3cea99a1b68c79ed3662a0bb9
Instruction Fuzzy Hash: 7B11BEB5608301AFD350CF19DD41E57FBE8EB88660F04896EF95997311D271E9088FA2

Function 010D05E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4479363112.00000000010D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ccb594882f6fb9e45056dc0dbb01d9c0ec9528f6000dcb874bb2f5d5c9005b
Instruction ID: 0b0484a210cd66fa469b2c5561a2333c9465a7c050d7350761a3026d833b311c
Opcode Fuzzy Hash: e7ccb594882f6fb9e45056dc0dbb01d9c0ec9528f6000dcb874bb2f5d5c9005b
Instruction Fuzzy Hash: E601DB755083805FD3118B19AC418D3BFE8DF47230B0984ABE8488B612D175B909CB72

Function 04EC01E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7e23522dce505fe1f7a8be150da1e88288745353638b3bc367678122f91fea
Instruction ID: 9a1b44147c0cd35d66e26bd5d8a860eeaf9b900cd7e7ec97487323d987d75ef9
Opcode Fuzzy Hash: 1a7e23522dce505fe1f7a8be150da1e88288745353638b3bc367678122f91fea
Instruction Fuzzy Hash: A8118E30605286CFCF14EBB8D99995C7BE1EF95308B00886EE046CB769DB34A809DB53

Function 04EC00A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7ada26a0c2913ab14f867176111be7fbfd34e5fbccee8583edf1ed77cccb18
Instruction ID: 2860d9a389f4a8af586c4bad7c8fb77a5db7e2252d73c32b1bc6892a7be2724b
Opcode Fuzzy Hash: 2c7ada26a0c2913ab14f867176111be7fbfd34e5fbccee8583edf1ed77cccb18
Instruction Fuzzy Hash: 72F0F632A04344AFEB14DFB0C852BAE7F729F81724F1086AEE5419B1D1DA765942C780

Function 010D08A0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4479363112.00000000010D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98923c3d1ea22da9be8346e03fd0310872bdf3a94fd5444d8394cfb273c2f72
Instruction ID: 12b97a2f1adff6facb3a62f27a24f9f8115feb6f915b4d9cd65d0d4a15e22550
Opcode Fuzzy Hash: e98923c3d1ea22da9be8346e03fd0310872bdf3a94fd5444d8394cfb273c2f72
Instruction Fuzzy Hash: 82F0FB35144644DFC206CB14D540B15FBA2FB89718F24CAA9E9891B656C737E812DB81

Function 010D0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4479363112.00000000010D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10d0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c126e2187f11271540913a29e83965bc3e6756db78f97f61bcc8baee87e894
Instruction ID: 7ad310e70b2140d9243a6081c82a707b81068564ae83132bddd94a145c48be4a
Opcode Fuzzy Hash: 10c126e2187f11271540913a29e83965bc3e6756db78f97f61bcc8baee87e894
Instruction Fuzzy Hash: F2E092B66046004B9650CF0AED414A2F7D8EB88630708C47FDC0D8B701D275F508CFA6

Function 00CEB6E7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4478435778.0000000000CEA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CEA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cea000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64d1e74c519d8570716e692c88f7401423de8eed875aefe75434467fed24fbf
Instruction ID: 3827bd4ae4b9ab9db666e8f628a2113f2884cb7d2fa668e95170382083071b6b
Opcode Fuzzy Hash: c64d1e74c519d8570716e692c88f7401423de8eed875aefe75434467fed24fbf
Instruction Fuzzy Hash: D8E0D8B254020467D2108F06AC45F62F798DB44A31F04C56BEE085B701D171B5048EF2

Function 07271E17 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4484892439.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7270000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954b5a5e5f474be0a72f281719a61ba5744ac61716b343a0d3b60d67bec0fe28
Instruction ID: 02715ac0fcc26f8c8ba46414dfc5621618a93b18af549338d0a81e70986d90ae
Opcode Fuzzy Hash: 954b5a5e5f474be0a72f281719a61ba5744ac61716b343a0d3b60d67bec0fe28
Instruction Fuzzy Hash: D3E0D8B290020067D2109F06AC45F63FB98DB44A30F04C567EE095B701D172B514CEF2

Function 0727256B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4484892439.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7270000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb0950c73f984fb8c258f11d49fa5bf49b9d44d9d564e4ae77530dc329dd1b3
Instruction ID: 1bc2ed493755fcfe151af75456b0b62eb62b4910c0e4c7b15af93320fe1dc2e3
Opcode Fuzzy Hash: 9fb0950c73f984fb8c258f11d49fa5bf49b9d44d9d564e4ae77530dc329dd1b3
Instruction Fuzzy Hash: 73E0D8B254030067D2108F06AC46F62FB98DB44A31F04C567ED085B741D171B5148AF2

Function 04EC40A8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff02c589e76992daad3e32b0d0d5a0f302f7af124a75f16dc853351454d8dec
Instruction ID: 71580386b57e8312fe23931edcbed9251fea9fcdccf09c377baaccbe3f173b47
Opcode Fuzzy Hash: aff02c589e76992daad3e32b0d0d5a0f302f7af124a75f16dc853351454d8dec
Instruction Fuzzy Hash: 2AE08C3011A380CFC71A9B3494958483F73AF0A30A36408FEC046CB7A2C67BA847CB10

Function 04ECA47F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4480586343.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4ec0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284917ec36fc372b2012e78cfae39a6d0c6d1c026e3a604003dc17b2ee5d5d02
Instruction ID: 1caa75c504612ae9b10884ca55b7dac75b53b505bb11b993805c85b2d78fc864
Opcode Fuzzy Hash: 284917ec36fc372b2012e78cfae39a6d0c6d1c026e3a604003dc17b2ee5d5d02
Instruction Fuzzy Hash: 33E012318193889FCB06DF7499956EC7F74AF12310F2041EED85A97662D6354E1DCF41

Function 00CD23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4478306417.0000000000CD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd2000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e0bbab8c6ff50c6073c7420aefd6e81b462720d0abc458fb992b463a9c4de4
Instruction ID: 71ae5e7df067b1e61b74b0eca0ceb13eb8bdee18067cb97a52443c825f30d293
Opcode Fuzzy Hash: 49e0bbab8c6ff50c6073c7420aefd6e81b462720d0abc458fb992b463a9c4de4
Instruction Fuzzy Hash: 46D05E792056D14FD3279A1CC6A4B9537D4AB61714F4A44FBAC00CB763C768DA81E600

Function 00CD23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4478306417.0000000000CD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cd2000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d77e4b0568f4b573d8c306273bb0d0f14a2dbedcd09c879ca6e15ed327a4fb
Instruction ID: 0babfc483c82a5e54c4ec4676cb20da35b4333c1e522332d710ae51eb292fa0c
Opcode Fuzzy Hash: a9d77e4b0568f4b573d8c306273bb0d0f14a2dbedcd09c879ca6e15ed327a4fb
Instruction Fuzzy Hash: F9D05E342002814FC725DA0CC2D4F5937D8AB90714F1A44E9AC208B772C7A8D9C1DA00

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gv10VZCeN7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Notepad.exe

C:\Program Files (x86)\Explower.exe

C:\Umbrella.flv.exe

C:\Users\user\AppData\Local\Explower.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\364d88128926b2e822553333b20c197fWindows Update.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Discord.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Gv10VZCeN7.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

Windows Analysis Report
Gv10VZCeN7.exe