Edit tour

Windows Analysis Report
JawnEmT6S2.exe

Overview

General Information

Sample name:	JawnEmT6S2.exe renamed because original name is a hash value
Original sample name:	59bc430c7e94eda88ba59fc1fa3d2c0c.exe
Analysis ID:	1432441
MD5:	59bc430c7e94eda88ba59fc1fa3d2c0c
SHA1:	7af6f4bd5d7c38ad87432785344f3016e873b151
SHA256:	3477c51b4db8004874eeb950fced5e89d636b4ad123595ca403f8fca5c430498
Tags:	exenjratRAT
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

.NET source code contains potential unpacker

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Creates autorun.inf (USB autostart)

Disables zone checking for all users

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

JawnEmT6S2.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\JawnEmT6S2.exe" MD5: 59BC430C7E94EDA88BA59FC1FA3D2C0C)

server.exe (PID: 5460 cmdline: "C:\Users\user\AppData\Local\Temp\server.exe" MD5: 59BC430C7E94EDA88BA59FC1FA3D2C0C)

netsh.exe (PID: 6292 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "bd45e682ad8a06dcb9168f1be41d3129", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
JawnEmT6S2.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
JawnEmT6S2.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159f3:$a2: SEE_MASK_NOZONECHECKS 0x15695:$a3: Download ERROR 0x15c45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bd2:$a5: netsh firewall delete allowedprogram "
JawnEmT6S2.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c45:$x1: cmd.exe /c ping 0 -n 2 & del " 0x1375e:$s1: winmgmts:\\.\root\SecurityCenter2 0x156b3:$s3: Executed As 0x124f0:$s5: Stub.exe 0x15695:$s6: Download ERROR 0x13720:$s8: Select * From AntiVirusProduct
JawnEmT6S2.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159f3:$reg: SEE_MASK_NOZONECHECKS 0x15679:$msg: Execute ERROR 0x156cd:$msg: Execute ERROR 0x15c45:$ping: cmd.exe /c ping 0 -n 2 & del
JawnEmT6S2.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bd2:$s1: netsh firewall delete allowedprogram 0x13c24:$s2: netsh firewall add allowedprogram 0x15c45:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15679:$s4: Execute ERROR 0x156cd:$s4: Execute ERROR 0x15695:$s5: Download ERROR

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\server.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Local\Temp\server.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159f3:$a2: SEE_MASK_NOZONECHECKS 0x15695:$a3: Download ERROR 0x15c45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bd2:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Local\Temp\server.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c45:$x1: cmd.exe /c ping 0 -n 2 & del " 0x1375e:$s1: winmgmts:\\.\root\SecurityCenter2 0x156b3:$s3: Executed As 0x124f0:$s5: Stub.exe 0x15695:$s6: Download ERROR 0x13720:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Local\Temp\server.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159f3:$reg: SEE_MASK_NOZONECHECKS 0x15679:$msg: Execute ERROR 0x156cd:$msg: Execute ERROR 0x15c45:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Local\Temp\server.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bd2:$s1: netsh firewall delete allowedprogram 0x13c24:$s2: netsh firewall add allowedprogram 0x15c45:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15679:$s4: Execute ERROR 0x156cd:$s4: Execute ERROR 0x15695:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159f3:$a2: SEE_MASK_NOZONECHECKS 0x15695:$a3: Download ERROR 0x15c45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bd2:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c45:$x1: cmd.exe /c ping 0 -n 2 & del " 0x1375e:$s1: winmgmts:\\.\root\SecurityCenter2 0x156b3:$s3: Executed As 0x124f0:$s5: Stub.exe 0x15695:$s6: Download ERROR 0x13720:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159f3:$reg: SEE_MASK_NOZONECHECKS 0x15679:$msg: Execute ERROR 0x156cd:$msg: Execute ERROR 0x15c45:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bd2:$s1: netsh firewall delete allowedprogram 0x13c24:$s2: netsh firewall add allowedprogram 0x15c45:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15679:$s4: Execute ERROR 0x156cd:$s4: Execute ERROR 0x15695:$s5: Download ERROR
C:\Umbrella.flv.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Umbrella.flv.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159f3:$a2: SEE_MASK_NOZONECHECKS 0x15695:$a3: Download ERROR 0x15c45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bd2:$a5: netsh firewall delete allowedprogram "
C:\Umbrella.flv.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c45:$x1: cmd.exe /c ping 0 -n 2 & del " 0x1375e:$s1: winmgmts:\\.\root\SecurityCenter2 0x156b3:$s3: Executed As 0x124f0:$s5: Stub.exe 0x15695:$s6: Download ERROR 0x13720:$s8: Select * From AntiVirusProduct
C:\Umbrella.flv.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159f3:$reg: SEE_MASK_NOZONECHECKS 0x15679:$msg: Execute ERROR 0x156cd:$msg: Execute ERROR 0x15c45:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Umbrella.flv.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bd2:$s1: netsh firewall delete allowedprogram 0x13c24:$s2: netsh firewall add allowedprogram 0x15c45:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15679:$s4: Execute ERROR 0x156cd:$s4: Execute ERROR 0x15695:$s5: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159f3:$a2: SEE_MASK_NOZONECHECKS 0x15695:$a3: Download ERROR 0x15c45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bd2:$a5: netsh firewall delete allowedprogram "
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c45:$x1: cmd.exe /c ping 0 -n 2 & del " 0x1375e:$s1: winmgmts:\\.\root\SecurityCenter2 0x156b3:$s3: Executed As 0x124f0:$s5: Stub.exe 0x15695:$s6: Download ERROR 0x13720:$s8: Select * From AntiVirusProduct
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159f3:$reg: SEE_MASK_NOZONECHECKS 0x15679:$msg: Execute ERROR 0x156cd:$msg: Execute ERROR 0x15c45:$ping: cmd.exe /c ping 0 -n 2 & del
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bd2:$s1: netsh firewall delete allowedprogram 0x13c24:$s2: netsh firewall add allowedprogram 0x15c45:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15679:$s4: Execute ERROR 0x156cd:$s4: Execute ERROR 0x15695:$s5: Download ERROR
Click to see the 15 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x157f3:$a2: SEE_MASK_NOZONECHECKS 0x15495:$a3: Download ERROR 0x15a45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x139d2:$a5: netsh firewall delete allowedprogram "
00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x157f3:$reg: SEE_MASK_NOZONECHECKS 0x15479:$msg: Execute ERROR 0x154cd:$msg: Execute ERROR 0x15a45:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115f2:$a1: get_Registry 0x15a13:$a2: SEE_MASK_NOZONECHECKS 0x156b5:$a3: Download ERROR 0x15c65:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bf2:$a5: netsh firewall delete allowedprogram "
00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15a13:$reg: SEE_MASK_NOZONECHECKS 0x15699:$msg: Execute ERROR 0x156ed:$msg: Execute ERROR 0x15c65:$ping: cmd.exe /c ping 0 -n 2 & del
00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: JawnEmT6S2.exe PID: 6596	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: server.exe PID: 5460	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.JawnEmT6S2.exe.500000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.0.JawnEmT6S2.exe.500000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x115d2:$a1: get_Registry 0x159f3:$a2: SEE_MASK_NOZONECHECKS 0x15695:$a3: Download ERROR 0x15c45:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13bd2:$a5: netsh firewall delete allowedprogram "
0.0.JawnEmT6S2.exe.500000.0.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x15c45:$x1: cmd.exe /c ping 0 -n 2 & del " 0x1375e:$s1: winmgmts:\\.\root\SecurityCenter2 0x156b3:$s3: Executed As 0x124f0:$s5: Stub.exe 0x15695:$s6: Download ERROR 0x13720:$s8: Select * From AntiVirusProduct
0.0.JawnEmT6S2.exe.500000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x159f3:$reg: SEE_MASK_NOZONECHECKS 0x15679:$msg: Execute ERROR 0x156cd:$msg: Execute ERROR 0x15c45:$ping: cmd.exe /c ping 0 -n 2 & del
0.0.JawnEmT6S2.exe.500000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x13bd2:$s1: netsh firewall delete allowedprogram 0x13c24:$s2: netsh firewall add allowedprogram 0x15c45:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x15679:$s4: Execute ERROR 0x156cd:$s4: Execute ERROR 0x15695:$s5: Download ERROR

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server.exe, ProcessId: 5460, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe

Snort Signatures

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.124.67.191

Timestamp:	04/27/24-04:38:38.307737
SID:	2033132
Source Port:	49738
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.124.67.191

Timestamp:	04/27/24-04:40:41.338997
SID:	2814856
Source Port:	49739
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.124.67.191

Timestamp:	04/27/24-04:40:41.169696
SID:	2033132
Source Port:	49739
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.125.188.168

Timestamp:	04/27/24-04:37:16.009989
SID:	2814860
Source Port:	49730
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.125.188.168

Timestamp:	04/27/24-04:37:16.009989
SID:	2825564
Source Port:	49730
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) - Source IP: 192.168.2.4 - Destination IP: 3.124.67.191

Timestamp:	04/27/24-04:40:47.691759
SID:	2825564
Source Port:	49739
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.124.67.191

Timestamp:	04/27/24-04:38:38.479153
SID:	2814856
Source Port:	49738
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) - Source IP: 192.168.2.4 - Destination IP: 3.124.67.191

Timestamp:	04/27/24-04:40:47.691759
SID:	2814860
Source Port:	49739
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) - Source IP: 192.168.2.4 - Destination IP: 3.125.188.168

Timestamp:	04/27/24-04:37:07.124534
SID:	2814856
Source Port:	49730
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) - Source IP: 192.168.2.4 - Destination IP: 3.125.188.168

Timestamp:	04/27/24-04:37:06.953679
SID:	2033132
Source Port:	49730
Destination Port:	10250
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: JawnEmT6S2.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Umbrella.flv.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\server.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.0.JawnEmT6S2.exe.500000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "bd45e682ad8a06dcb9168f1be41d3129", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Multi AV Scanner detection for domain / URL

Source: 7.tcp.eu.ngrok.io

Virustotal: Detection: 14%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Umbrella.flv.exe	ReversingLabs: Detection: 84%
Source: C:\Umbrella.flv.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\server.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Temp\server.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	Virustotal: Detection: 70%	Perma Link

Multi AV Scanner detection for submitted file

Source: JawnEmT6S2.exe	ReversingLabs: Detection: 84%
Source: JawnEmT6S2.exe	Virustotal: Detection: 70%			Perma Link

Yara detected Njrat

Source: Yara match	File source: JawnEmT6S2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JawnEmT6S2.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Umbrella.flv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: JawnEmT6S2.exe

Joe Sandbox ML: detected

Source: JawnEmT6S2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: JawnEmT6S2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: JawnEmT6S2.exe, Usb1.cs	.Net Code: infect
Source: server.exe.0.dr, Usb1.cs	.Net Code: infect
Source: Epic Games.exe.1.dr, Usb1.cs	.Net Code: infect
Source: bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe.1.dr, Usb1.cs	.Net Code: infect
Source: Umbrella.flv.exe.1.dr, Usb1.cs	.Net Code: infect

Creates autorun.inf (USB autostart)

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\autorun.inf

Jump to behavior

Source: JawnEmT6S2.exe, 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: JawnEmT6S2.exe, 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: JawnEmT6S2.exe, 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: JawnEmT6S2.exe, 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: JawnEmT6S2.exe, 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: JawnEmT6S2.exe, 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: server.exe, 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: server.exe, 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: server.exe, 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf$OJk
Source: JawnEmT6S2.exe	Binary or memory string: \autorun.inf
Source: JawnEmT6S2.exe	Binary or memory string: [autorun]
Source: JawnEmT6S2.exe	Binary or memory string: autorun.inf
Source: autorun.inf.1.dr	Binary or memory string: [autorun]
Source: Umbrella.flv.exe.1.dr	Binary or memory string: \autorun.inf
Source: Umbrella.flv.exe.1.dr	Binary or memory string: [autorun]
Source: Umbrella.flv.exe.1.dr	Binary or memory string: autorun.inf
Source: bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe.1.dr	Binary or memory string: \autorun.inf
Source: bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe.1.dr	Binary or memory string: [autorun]
Source: bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe.1.dr	Binary or memory string: autorun.inf
Source: Epic Games.exe.1.dr	Binary or memory string: \autorun.inf
Source: Epic Games.exe.1.dr	Binary or memory string: [autorun]
Source: Epic Games.exe.1.dr	Binary or memory string: autorun.inf
Source: server.exe.0.dr	Binary or memory string: \autorun.inf
Source: server.exe.0.dr	Binary or memory string: [autorun]
Source: server.exe.0.dr	Binary or memory string: autorun.inf

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49730 -> 3.125.188.168:10250
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49730 -> 3.125.188.168:10250
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49730 -> 3.125.188.168:10250
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49730 -> 3.125.188.168:10250
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 3.124.67.191:10250
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49738 -> 3.124.67.191:10250
Source: Traffic	Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49739 -> 3.124.67.191:10250
Source: Traffic	Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49739 -> 3.124.67.191:10250
Source: Traffic	Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49739 -> 3.124.67.191:10250
Source: Traffic	Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49739 -> 3.124.67.191:10250

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 3.125.188.168:10250
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 3.124.67.191:10250

Source: Joe Sandbox View	IP Address: 3.125.188.168 3.125.188.168
Source: Joe Sandbox View	IP Address: 3.124.67.191 3.124.67.191

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 7.tcp.eu.ngrok.io

Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: JawnEmT6S2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JawnEmT6S2.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4298	0_2_04CD4298
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4544	0_2_04CD4544
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD505D	0_2_04CD505D
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4B5B	0_2_04CD4B5B
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD47D4	0_2_04CD47D4
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD536F	0_2_04CD536F
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD50E3	0_2_04CD50E3
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD49F9	0_2_04CD49F9
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD44F1	0_2_04CD44F1
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD428F	0_2_04CD428F
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD470F	0_2_04CD470F
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4C8F	0_2_04CD4C8F
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD5000	0_2_04CD5000
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4F9D	0_2_04CD4F9D
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD499D	0_2_04CD499D
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4F2F	0_2_04CD4F2F
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4936	0_2_04CD4936
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD4630	0_2_04CD4630
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Code function: 0_2_04CD5459	0_2_04CD5459
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00912807	1_2_00912807
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_0091247C	1_2_0091247C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_009126E7	1_2_009126E7
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4298	1_2_00BF4298
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF499D	1_2_00BF499D
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF49F9	1_2_00BF49F9
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF44F1	1_2_00BF44F1
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF47D4	1_2_00BF47D4
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4936	1_2_00BF4936
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4630	1_2_00BF4630
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF470F	1_2_00BF470F
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4269	1_2_00BF4269
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4B5B	1_2_00BF4B5B
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4544	1_2_00BF4544
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4F9D	1_2_00BF4F9D
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4C8F	1_2_00BF4C8F
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF50E3	1_2_00BF50E3
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF4F2F	1_2_00BF4F2F
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF5000	1_2_00BF5000
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF536F	1_2_00BF536F
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF505D	1_2_00BF505D
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_00BF5459	1_2_00BF5459

Source: JawnEmT6S2.exe, 00000000.00000002.1662752187.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs JawnEmT6S2.exe

Source: JawnEmT6S2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: JawnEmT6S2.exe, type: SAMPLE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Umbrella.flv.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@6/8@3/2

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04FA00EA AdjustTokenPrivileges,		1_2_04FA00EA
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 1_2_04FA00B3 AdjustTokenPrivileges,		1_2_04FA00B3

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\bd45e682ad8a06dcb9168f1be41d3129
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

File created: C:\Users\user\AppData\Local\Temp\FransescoPast.txt

Jump to behavior

Source: JawnEmT6S2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JawnEmT6S2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JawnEmT6S2.exe	ReversingLabs: Detection: 84%
Source: JawnEmT6S2.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

File read: C:\Users\user\Desktop\JawnEmT6S2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JawnEmT6S2.exe "C:\Users\user\Desktop\JawnEmT6S2.exe"
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE	Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: JawnEmT6S2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: JawnEmT6S2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: JawnEmT6S2.exe, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: server.exe.0.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Epic Games.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Umbrella.flv.exe.1.dr, Fransesco.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\JawnEmT6S2.exe	File created: C:\Users\user\AppData\Local\Temp\server.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Umbrella.flv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe			Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JawnEmT6S2.exe	Memory allocated: 4AC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: B40000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 5644	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 2858	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 726	Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe TID: 6772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2140	Thread sleep time: -90600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 6264	Thread sleep time: -5644000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 6264	Thread sleep time: -2858000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: JawnEmT6S2.exe, 00000000.00000002.1662752187.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5
Source: server.exe, 00000001.00000002.4102168320.00000000004E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA6w
Source: JawnEmT6S2.exe, 00000000.00000002.1662752187.0000000000C89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
Source: netsh.exe, 00000002.00000003.1707934872.0000000000C62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: server.exe, 00000001.00000002.4102168320.00000000004E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\JawnEmT6S2.exe

Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"

Jump to behavior

Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:37:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:08:04 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:40:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:02:27 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:14:43 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:45:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:16:08 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:30:24 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002990000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:15:42 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:44:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:09:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:59:40 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:02:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:53:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:01:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:19:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:51:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:33:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:45:49 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:21:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:41:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:25:55 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:13:22 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 20:38:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:35:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:15:47 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:33:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:53:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:45:35 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:07:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:14:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:19:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:49:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:02:53 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:39:42 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:12:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:18:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:35:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:03:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:04:58 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:01:46 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:05:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:11:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:34:37 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:26:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:54:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:52:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:47:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:12:35 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:50:53 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:04:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:10:37 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:02:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:54:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:29:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:29:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:46:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:59:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:36:44 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:06:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:42:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:47:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:34:01 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:19:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:59:47 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:23:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:03:54 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:46:56 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:15:44 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:13:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:06:42 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:48:11 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:11:58 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:38:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:21:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:08:47 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:41:10 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:57:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:31:51 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:22:45 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:33:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:52:49 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:45:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:45:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:40:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:37:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:58:49 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/27 \| 04:39:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:41:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:39:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:07:40 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:08:35 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:14:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:01:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:22:56 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:08:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:57:54 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 14:44:08 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:17:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:38:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:09:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:10:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:46:27 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:29:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 13:52:11 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:59:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:54:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:24:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 10:04:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:53:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:25:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:49:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:06:10 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:12:10 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:12:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:08:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:11:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:51:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:07:54 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:17:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:32:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:56:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 14:45:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:53:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:46:54 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 14:28:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:07:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:54:58 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:05:45 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:36:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:15:04 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:58:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:02:47 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:19:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:46:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:12:06 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:09:54 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:38:55 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:48:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:59:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:39:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:55:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:00:42 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:47:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:39:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:52:35 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:16:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:52:51 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:34:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:55:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:17:27 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:58:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:59:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:40:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:44:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:41:46 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:43:06 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:47:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:18:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:28:16 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:09:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:48:40 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:35:02 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:31:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:25:43 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:13:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:55:59 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/27 \| 16:29:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:20:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:08:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:12:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:16:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:15:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:57:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:23:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 10:25:11 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:12:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:39:56 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:21:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:01:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:30:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:18:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:49:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:13:16 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:48:47 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:44:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:03:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:40:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:54:45 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:05:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:42:14 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 20:59:08 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:19:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:56:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:43:41 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:47:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:59:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:05:41 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:51:45 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:49:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:43:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:53:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:39:53 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:09:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:10:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:50:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:48:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:44:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:34:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:49:41 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:09:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:36:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:56:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:59:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:13:40 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:20:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:19:11 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:48:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:50:42 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:58:06 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:45:10 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:11:56 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:51:16 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:38:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:43:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:15:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:17:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:52:02 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:29:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:33:53 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:07:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:14:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:57:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:15:29 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002990000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:06:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:06:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:56:42 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:27:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:50:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:26:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:39:45 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:21:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:55:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:47:49 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:56:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:13:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:42:06 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:05:10 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:03:46 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:15:55 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:35:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:31:43 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:49:27 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:37:37 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:40:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:04:17 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.0000000002799000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:47:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:25:04 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:08:06 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:37:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:27:55 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:51:56 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:45:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:02:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:52:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:26:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:10:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:53:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:30:16 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:11:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:59:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:22:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:54:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:07:02 - Program Manager
Source: Epic Games.exe.1.dr, server.exe.0.dr	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:07:11 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:42:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:26:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:38:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:15:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:34:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:23:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:29:27 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:38:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:52:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:19:51 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:41:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:45:27 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:30:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:14:15 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:01:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:59:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:21:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:58:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:32:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:41:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:37:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:33:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:29:46 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:21:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:59:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:13:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:22:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:16:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:24:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:38:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:57:43 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:01:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:30:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:06:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:54:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:07:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:11:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:45:08 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:24:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:38:44 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:39:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:02:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:41:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:18:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 14:56:27 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:15:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:55:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:20:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:00:49 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:26:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 13:48:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:32:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:59:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:39:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:16:16 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:50:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:02:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:30:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:42:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:57:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:53:40 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:28:56 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:00:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:09:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:24:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:40:10 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:29:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:11:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:17:37 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:25:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:16:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:31:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:08:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:17:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:43:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:10:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:54:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:25:35 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:29:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:26:06 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:05:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:37:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:59:46 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:20:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:41:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:54:08 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:47:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:18:02 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:33:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:28:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:49:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:09:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:42:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:49:52 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:15:43 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002990000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:13:58 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:49:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:25:11 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:54:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:19:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:03:58 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:56:16 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:55:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:43:40 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:48:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:06:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:18:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:43:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:12:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:57:06 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:17:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:18:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:40:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 14:22:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:14:11 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:32:44 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:50:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 13:57:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:16:29 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:44:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:15:08 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:57:56 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:30:54 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:40:12 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:51:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:48:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:05:48 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:58:25 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:43:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:05:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:20:04 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:39:21 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/27 \| 12:07:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:17:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:57:00 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:43:33 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:58:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:57:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:42:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:02:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:55:15 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:51:37 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:46:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:53:21 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:19:39 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:58:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 13:47:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:06:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:05:04 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:56:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:36:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:14:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:17:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 14:33:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:26:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:19:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:23:57 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:13:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:32:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:23:16 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:04:47 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:48:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:06:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:52:45 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:37:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:30:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:39:19 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:05:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:28:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:56:50 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:44:41 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:29:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:22:01 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:31:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:18:32 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:07:13 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:13:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:35:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:53:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:46:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:50:55 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:26:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:03:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:15:17 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:19:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:27:05 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 09:16:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:41:49 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:42:51 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:09:26 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:51:24 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:33:45 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:13:53 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:14:22 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:25:41 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 21:24:47 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:48:51 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:41:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 15:08:14 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:20:41 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 07:54:23 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:16:18 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:50:59 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/27 \| 16:47:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:10:20 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 22:58:51 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 04:13:59 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:03:07 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:08:28 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 03:05:55 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/29 \| 23:09:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:02:03 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 17:32:39 - Program Manager
Source: server.exe, 00000001.00000002.4103059609.000000000291D000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.00000000028D7000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4103059609.0000000002C84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/27 \| 16:39:46 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:24:35 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:56:31 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 16:21:36 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:00:09 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:02:30 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 01:15:37 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/02 \| 08:54:37 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000001.00000002.4104631856.000000000410C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/05/04 \| 13:44:38 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 00:04:34 - Program Manager
Source: server.exe, 00000001.00000002.4104631856.000000000370C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/04/30 \| 02:10:07 - Program Manager

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: JawnEmT6S2.exe, Fransesco.cs	.Net Code: INS
Source: server.exe.0.dr, Fransesco.cs	.Net Code: INS
Source: Epic Games.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe.1.dr, Fransesco.cs	.Net Code: INS
Source: Umbrella.flv.exe.1.dr, Fransesco.cs	.Net Code: INS

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\server.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: JawnEmT6S2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JawnEmT6S2.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: JawnEmT6S2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.JawnEmT6S2.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JawnEmT6S2.exe PID: 6596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, type: DROPPED
Source: Yara match	File source: C:\Umbrella.flv.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	21 Replication Through Removable Media	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	41 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JawnEmT6S2.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
JawnEmT6S2.exe	71%	Virustotal		Browse
JawnEmT6S2.exe	100%	Avira	TR/Dropper.Gen
JawnEmT6S2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Umbrella.flv.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\server.exe	100%	Avira	TR/Dropper.Gen
C:\Umbrella.flv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server.exe	100%	Joe Sandbox ML
C:\Umbrella.flv.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Umbrella.flv.exe	71%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\server.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Local\Temp\server.exe	71%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe	71%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe	71%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
7.tcp.eu.ngrok.io	14%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
7.tcp.eu.ngrok.io	3.125.188.168	true	true	14%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.125.188.168	7.tcp.eu.ngrok.io	United States		16509	AMAZON-02US	true
3.124.67.191	unknown	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432441
Start date and time:	2024-04-27 04:36:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JawnEmT6S2.exe renamed because original name is a hash value
Original Sample Name:	59bc430c7e94eda88ba59fc1fa3d2c0c.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.evad.winEXE@6/8@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 130 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:37:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe
03:37:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe
04:37:43	API Interceptor	433558x Sleep call for process: server.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.125.188.168	0QHSbsQIhu.exe	Get hash	malicious	RedLine	Browse	7.tcp.eu.ngrok.io:13707/
3.124.67.191	Invoice_12_2022FGT_UKESTATE.exe	Get hash	malicious	RedLine	Browse	7.tcp.eu.ngrok.io:13616/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7.tcp.eu.ngrok.io	02424A493EDF7B2F67778C64D2EDAB2EDF41A5469A697.exe	Get hash	malicious	Njrat	Browse	3.126.224.214
	XClient111.exe	Get hash	malicious	XWorm	Browse	3.124.67.191
	hp5NcrrHi1.exe	Get hash	malicious	Njrat	Browse	3.126.224.214
	host.exe	Get hash	malicious	Njrat	Browse	3.68.56.232
	yUyZOMK3zf.exe	Get hash	malicious	Njrat	Browse	3.125.188.168
	929EWOgWCn.exe	Get hash	malicious	Njrat	Browse	3.126.224.214
	3mkd92Kq1A.exe	Get hash	malicious	Njrat	Browse	3.68.56.232
	ne8hteT3EN.exe	Get hash	malicious	Njrat	Browse	3.124.67.191
	Haerm.exe	Get hash	malicious	Njrat	Browse	3.126.224.214
	sWvS33vecn.exe	Get hash	malicious	Njrat	Browse	3.126.224.214

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	13.59.156.167
	DnauGgOFTX.elf	Get hash	malicious	Moobot, Okiru	Browse	34.254.182.186
	https://www.steampowered.solutions/	Get hash	malicious	Unknown	Browse	54.76.79.16
	https://verfolgung-lieferung.net/	Get hash	malicious	Unknown	Browse	13.225.214.56
	https://wall.page/jcw7sZ	Get hash	malicious	Unknown	Browse	35.179.36.99
	Psoriasis	Get hash	malicious	Unknown	Browse	54.70.175.13
	4NnBaAMXoc.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	35.152.84.43
	sQSqM58mvl.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	34.247.74.11
	https://palmettoanimalclinic.aweb.page/p/0ac693e3-6f85-4fd6-86d7-f770e6e73d32	Get hash	malicious	Unknown	Browse	52.217.194.240
	https://rise.articulate.com/share/zO8B8EFq4bxdit8kVRcUzBOZMbkl1WSz#/lessons/2GyyR-D75sLlZcXDanN5dOaLxSSkgNvo	Get hash	malicious	HTMLPhisher	Browse	108.156.83.19
AMAZON-02US	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	13.59.156.167
	DnauGgOFTX.elf	Get hash	malicious	Moobot, Okiru	Browse	34.254.182.186
	https://www.steampowered.solutions/	Get hash	malicious	Unknown	Browse	54.76.79.16
	https://verfolgung-lieferung.net/	Get hash	malicious	Unknown	Browse	13.225.214.56
	https://wall.page/jcw7sZ	Get hash	malicious	Unknown	Browse	35.179.36.99
	Psoriasis	Get hash	malicious	Unknown	Browse	54.70.175.13
	4NnBaAMXoc.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	35.152.84.43
	sQSqM58mvl.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	34.247.74.11
	https://palmettoanimalclinic.aweb.page/p/0ac693e3-6f85-4fd6-86d7-f770e6e73d32	Get hash	malicious	Unknown	Browse	52.217.194.240
	https://rise.articulate.com/share/zO8B8EFq4bxdit8kVRcUzBOZMbkl1WSz#/lessons/2GyyR-D75sLlZcXDanN5dOaLxSSkgNvo	Get hash	malicious	HTMLPhisher	Browse	108.156.83.19

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.5653601314847645
Encrypted:	false
SSDEEP:	768:8Y3Jwmm6h1ychQVHwUM7k+rhHX9/NhUQBi0yXxrjEtCdnl2pi1Rz4Rk39sGdpTgM:Nw76rCHwB4+r9ptcjEwzGi1dDtDTgS
MD5:	59BC430C7E94EDA88BA59FC1FA3D2C0C
SHA1:	7AF6F4BD5D7C38AD87432785344F3016E873B151
SHA-256:	3477C51B4DB8004874EEB950FCED5E89D636B4AD123595CA403F8FCA5C430498
SHA-512:	578F3B0C79A83BF85ED945DD6FF8E3F6469CE40BFBF7058849F6901A64E12719C73A98FEDB3D877AC9B8E7A4FB1AA72186431F7AD933C1E705D6298D33FF2B07
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Umbrella.flv.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Umbrella.flv.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..e.................p.............. ........@.. ....................................@.................................t...W.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B................................................................H...........\...........................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JawnEmT6S2.exe.log

Download File

Process:	C:\Users\user\Desktop\JawnEmT6S2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\server.exe

Download File

Process:	C:\Users\user\Desktop\JawnEmT6S2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.5653601314847645
Encrypted:	false
SSDEEP:	768:8Y3Jwmm6h1ychQVHwUM7k+rhHX9/NhUQBi0yXxrjEtCdnl2pi1Rz4Rk39sGdpTgM:Nw76rCHwB4+r9ptcjEwzGi1dDtDTgS
MD5:	59BC430C7E94EDA88BA59FC1FA3D2C0C
SHA1:	7AF6F4BD5D7C38AD87432785344F3016E873B151
SHA-256:	3477C51B4DB8004874EEB950FCED5E89D636B4AD123595CA403F8FCA5C430498
SHA-512:	578F3B0C79A83BF85ED945DD6FF8E3F6469CE40BFBF7058849F6901A64E12719C73A98FEDB3D877AC9B8E7A4FB1AA72186431F7AD933C1E705D6298D33FF2B07
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..e.................p.............. ........@.. ....................................@.................................t...W.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B................................................................H...........\...........................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.5653601314847645
Encrypted:	false
SSDEEP:	768:8Y3Jwmm6h1ychQVHwUM7k+rhHX9/NhUQBi0yXxrjEtCdnl2pi1Rz4Rk39sGdpTgM:Nw76rCHwB4+r9ptcjEwzGi1dDtDTgS
MD5:	59BC430C7E94EDA88BA59FC1FA3D2C0C
SHA1:	7AF6F4BD5D7C38AD87432785344F3016E873B151
SHA-256:	3477C51B4DB8004874EEB950FCED5E89D636B4AD123595CA403F8FCA5C430498
SHA-512:	578F3B0C79A83BF85ED945DD6FF8E3F6469CE40BFBF7058849F6901A64E12719C73A98FEDB3D877AC9B8E7A4FB1AA72186431F7AD933C1E705D6298D33FF2B07
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..e.................p.............. ........@.. ....................................@.................................t...W.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B................................................................H...........\...........................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.5653601314847645
Encrypted:	false
SSDEEP:	768:8Y3Jwmm6h1ychQVHwUM7k+rhHX9/NhUQBi0yXxrjEtCdnl2pi1Rz4Rk39sGdpTgM:Nw76rCHwB4+r9ptcjEwzGi1dDtDTgS
MD5:	59BC430C7E94EDA88BA59FC1FA3D2C0C
SHA1:	7AF6F4BD5D7C38AD87432785344F3016E873B151
SHA-256:	3477C51B4DB8004874EEB950FCED5E89D636B4AD123595CA403F8FCA5C430498
SHA-512:	578F3B0C79A83BF85ED945DD6FF8E3F6469CE40BFBF7058849F6901A64E12719C73A98FEDB3D877AC9B8E7A4FB1AA72186431F7AD933C1E705D6298D33FF2B07
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..e.................p.............. ........@.. ....................................@.................................t...W.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B................................................................H...........\...........................................................&.(......*..(.......s.........s ........s!........s"..........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0.............(....(.....+.....0............(.....+...0................(.....+...0............(.....+...0.. ...................,.(...+.+.+....+....0...........................*..(..........0..&........~..............,.(...+.

C:\Users\user\AppData\Roaming\app

Download File

Process:	C:\Users\user\Desktop\JawnEmT6S2.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:h:h
MD5:	C60FEEBD511C87B86DEA130692995A0F
SHA1:	D64447A8B3D8949CAB5A1F8D168F7C6FEE6B6A0A
SHA-256:	632994320C04707E7EF564B3E983A694170561659552A24DFE14A922DCF0F511
SHA-512:	BF03FBF3329C6F7A21ECD620319EF1A6F676B22A27AFD24AAB546483C3FE5F6EEE7BBCFDC14C5F6626957F2B96519BDD21AAEA45D74A80253FA4220C8C12DF7C
Malicious:	false
Reputation:	low
Preview:	.27

C:\autorun.inf

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.474554204780528
Encrypted:	false
SSDEEP:	3:It1KV2PHQCyK0x:e1KAwCyD
MD5:	40B1630BE21F39CB17BD1963CAE5A207
SHA1:	63C14BD151D42820DD45C033363FA5B9E1D34124
SHA-256:	F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1
SHA-512:	833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	[autorun]..open=C:\Umbrella.flv.exe..shellexecute=C:\..

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.5653601314847645
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	JawnEmT6S2.exe
File size:	95'232 bytes
MD5:	59bc430c7e94eda88ba59fc1fa3d2c0c
SHA1:	7af6f4bd5d7c38ad87432785344f3016e873b151
SHA256:	3477c51b4db8004874eeb950fced5e89d636b4ad123595ca403f8fca5c430498
SHA512:	578f3b0c79a83bf85ed945dd6ff8e3f6469ce40bfbf7058849f6901a64e12719c73a98fedb3d877ac9b8e7a4fb1aa72186431f7ad933c1e705d6298d33ff2b07
SSDEEP:	768:8Y3Jwmm6h1ychQVHwUM7k+rhHX9/NhUQBi0yXxrjEtCdnl2pi1Rz4Rk39sGdpTgM:Nw76rCHwB4+r9ptcjEwzGi1dDtDTgS
TLSH:	B893C84977E52564E0BF56F79871F2004F38B4871602E79E48F219AA1A33AC44F85FEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..e.................p............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x418ece
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D7FA20 [Fri Feb 23 01:51:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18e74	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16ed4	0x17000	2ef6a2c0830dbb3c1e27b1df5c408a00	False	0.368110988451087	data	5.597045294786274	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0xc	0x200	e522aa3f02fe9db9653a57047c62df03	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/27/24-04:38:38.307737	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49738	10250	192.168.2.4	3.124.67.191
04/27/24-04:40:41.338997	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49739	10250	192.168.2.4	3.124.67.191
04/27/24-04:40:41.169696	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49739	10250	192.168.2.4	3.124.67.191
04/27/24-04:37:16.009989	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49730	10250	192.168.2.4	3.125.188.168
04/27/24-04:37:16.009989	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49730	10250	192.168.2.4	3.125.188.168
04/27/24-04:40:47.691759	TCP	2825564	ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)	49739	10250	192.168.2.4	3.124.67.191
04/27/24-04:38:38.479153	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49738	10250	192.168.2.4	3.124.67.191
04/27/24-04:40:47.691759	TCP	2814860	ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)	49739	10250	192.168.2.4	3.124.67.191
04/27/24-04:37:07.124534	TCP	2814856	ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)	49730	10250	192.168.2.4	3.125.188.168
04/27/24-04:37:06.953679	TCP	2033132	ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)	49730	10250	192.168.2.4	3.125.188.168

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 04:37:06.300153971 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:37:06.470803976 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:37:06.470911980 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:37:06.953679085 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:37:07.124347925 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:37:07.124533892 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:37:07.295502901 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:37:16.009989023 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:37:16.182766914 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:37:31.234436989 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:37:31.234580040 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:37:46.406369925 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:37:46.406466961 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:38:01.582392931 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:38:01.582519054 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:38:16.806535959 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:38:16.806606054 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:38:31.983467102 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:38:31.983550072 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:38:36.001344919 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:38:36.001435995 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:38:38.008074045 CEST	49730	10250	192.168.2.4	3.125.188.168
Apr 27, 2024 04:38:38.128222942 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:38:38.178622007 CEST	10250	49730	3.125.188.168	192.168.2.4
Apr 27, 2024 04:38:38.301223993 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:38:38.301302910 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:38:38.307737112 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:38:38.479065895 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:38:38.479152918 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:38:38.649776936 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:38:53.650569916 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:38:53.650625944 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:39:24.082606077 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:39:24.082683086 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:39:39.254786968 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:39:39.254890919 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:39:54.426706076 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:39:54.426858902 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:09.650949955 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:40:09.651032925 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:24.827370882 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:40:24.827429056 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:38.876118898 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:40:38.876207113 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:40.879837990 CEST	49738	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:40.991209030 CEST	49739	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:41.050489902 CEST	10250	49738	3.124.67.191	192.168.2.4
Apr 27, 2024 04:40:41.161664009 CEST	10250	49739	3.124.67.191	192.168.2.4
Apr 27, 2024 04:40:41.161756039 CEST	49739	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:41.169696093 CEST	49739	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:41.338897943 CEST	10250	49739	3.124.67.191	192.168.2.4
Apr 27, 2024 04:40:41.338996887 CEST	49739	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:41.512901068 CEST	10250	49739	3.124.67.191	192.168.2.4
Apr 27, 2024 04:40:47.691759109 CEST	49739	10250	192.168.2.4	3.124.67.191
Apr 27, 2024 04:40:47.861865997 CEST	10250	49739	3.124.67.191	192.168.2.4
Apr 27, 2024 04:41:02.902108908 CEST	10250	49739	3.124.67.191	192.168.2.4
Apr 27, 2024 04:41:02.903666973 CEST	49739	10250	192.168.2.4	3.124.67.191

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 04:37:06.186434031 CEST	53734	53	192.168.2.4	1.1.1.1
Apr 27, 2024 04:37:06.298206091 CEST	53	53734	1.1.1.1	192.168.2.4
Apr 27, 2024 04:38:38.009110928 CEST	55304	53	192.168.2.4	1.1.1.1
Apr 27, 2024 04:38:38.099939108 CEST	53	55304	1.1.1.1	192.168.2.4
Apr 27, 2024 04:40:40.880825996 CEST	62785	53	192.168.2.4	1.1.1.1
Apr 27, 2024 04:40:40.990155935 CEST	53	62785	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2024 04:37:06.186434031 CEST	192.168.2.4	1.1.1.1	0x4b56	Standard query (0)	7.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Apr 27, 2024 04:38:38.009110928 CEST	192.168.2.4	1.1.1.1	0xf984	Standard query (0)	7.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Apr 27, 2024 04:40:40.880825996 CEST	192.168.2.4	1.1.1.1	0xc44	Standard query (0)	7.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 27, 2024 04:37:06.298206091 CEST	1.1.1.1	192.168.2.4	0x4b56	No error (0)	7.tcp.eu.ngrok.io	3.125.188.168	A (IP address)	IN (0x0001)	false
Apr 27, 2024 04:38:38.099939108 CEST	1.1.1.1	192.168.2.4	0xf984	No error (0)	7.tcp.eu.ngrok.io	3.124.67.191	A (IP address)	IN (0x0001)	false
Apr 27, 2024 04:40:40.990155935 CEST	1.1.1.1	192.168.2.4	0xc44	No error (0)	7.tcp.eu.ngrok.io	3.124.67.191	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:36:52
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\JawnEmT6S2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JawnEmT6S2.exe"
Imagebase:	0x500000
File size:	95'232 bytes
MD5 hash:	59BC430C7E94EDA88BA59FC1FA3D2C0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1620882363.0000000000502000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1663600842.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:36:56
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server.exe"
Imagebase:	0x10000
File size:	95'232 bytes
MD5 hash:	59BC430C7E94EDA88BA59FC1FA3D2C0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000002.4103059609.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs Detection: 71%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	04:36:58
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:36:58
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	58
Total number of Limit Nodes:	4

Executed Functions

Function 04CD4298 Relevance: 4.4, Strings: 2, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|t, xrefs: 04CD53CE
@, xrefs: 04CD4C24

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: @$|t
API String ID: 0-3910548985
Opcode ID: 3b2530a3456081c5386525fb71ae5be2d148f69b038e06fe3ee22c77e2d0aec2
Instruction ID: 319bb7c2395617a51f2294c024bab676f81987624f7130ba9205d430ae85c9e4
Opcode Fuzzy Hash: 3b2530a3456081c5386525fb71ae5be2d148f69b038e06fe3ee22c77e2d0aec2
Instruction Fuzzy Hash: 11234A74A01228CFDB25EF35D964BA9B7B2FB48304F1041EAD90967395DB399E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD428F Relevance: 4.2, Strings: 2, Instructions: 1746
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 43a076d8281687248b8b9479fcc30f449ec20ca7a3ee085e21391a626fa18cc6
Instruction ID: dd28e8ff076f00437703d10ebbfabb299945dd3b22708d3a62e878cd3e3dc47c
Opcode Fuzzy Hash: 43a076d8281687248b8b9479fcc30f449ec20ca7a3ee085e21391a626fa18cc6
Instruction Fuzzy Hash: A0136D74A11228CFDB25EF35D864BA9B7B2FB48304F1041EAD90967395DB399E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD3449 Relevance: 5.0, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`O, xrefs: 04CD3453
XR, xrefs: 04CD34C0
HQ, xrefs: 04CD349B
P, xrefs: 04CD3476

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: HQ$XR$`O$P
API String ID: 0-917331388
Opcode ID: ef361150a23e482fc21f178fb7820ebb781d1caaccbc04cce7a1d7e14fcac8b9
Instruction ID: d6fad6d075a467b01815bfaa955f8b0421e23eff31d1b93ccd5dde7cf8bc4883
Opcode Fuzzy Hash: ef361150a23e482fc21f178fb7820ebb781d1caaccbc04cce7a1d7e14fcac8b9
Instruction Fuzzy Hash: 29019AB5712206DFC700FB78D1498AC77E1EBC8308B10987CE6458B759EF78880ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00BFAB25

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5c1fce5ee307ce865985e775182318dd6b6ce131b3f95462a5fb5de062db406a
Instruction ID: 1034472a6b32c8cbcdcc94f7931cdb3e9a261c15cdda4de37436320e94b318f9
Opcode Fuzzy Hash: 5c1fce5ee307ce865985e775182318dd6b6ce131b3f95462a5fb5de062db406a
Instruction Fuzzy Hash: 453182B1504344AFE721CF25DC85F56BBF8EF05310F08889AE9498B652D375E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BFB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00BFB0DD

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: d69d3328607df8dedae27e885b3dfc1044cc65681a10b366152c2dad3aa296cb
Instruction ID: 010acc2c6751a7b2282c9293725182038fe384a27fc45a497c0c37a530a7716a
Opcode Fuzzy Hash: d69d3328607df8dedae27e885b3dfc1044cc65681a10b366152c2dad3aa296cb
Instruction Fuzzy Hash: 9F31B3B15093846FE721CB25DD45FA6BFF8EF06310F08849AE984CB692D375A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00BFA77E

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 46db3aa2fc0d81c7d5995b03c6661c1cbf7ac3e42e3031ac0df289b2c082135f
Instruction ID: 614ab2680f21d59f1e86cd1e667c092c793f1b42edc6749a5509214687aa48de
Opcode Fuzzy Hash: 46db3aa2fc0d81c7d5995b03c6661c1cbf7ac3e42e3031ac0df289b2c082135f
Instruction Fuzzy Hash: 4B31807104D3C06FD3138B259C61B62BFB4EF47614F0A44DBE884CB6A3D2296919D772

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,D83BCAC2,00000000,00000000,00000000,00000000), ref: 00BFAF0D

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3ba8bd99f3194de0ee0c3bb00bd42647f6685816cd59022fbc3067c35734162a
Instruction ID: 5b8827fc6c2ec490b7a9fb5ae5c75e12ef6fa3109ea97fb451e389393d2b4f8b
Opcode Fuzzy Hash: 3ba8bd99f3194de0ee0c3bb00bd42647f6685816cd59022fbc3067c35734162a
Instruction Fuzzy Hash: 3F21B1B2408380AFD722CB55DD44F96BFB8EF06314F09849BE9849F552D234A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00BFAB25

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ed949d76a438a5df97bfc03a56200b07315d3b3a64c5d5875acff6b5da9fe733
Instruction ID: 5e8c3efe14c2e2911eab54ff6b4f32ca03f99bfca381725494bedc7dfe25aaf9
Opcode Fuzzy Hash: ed949d76a438a5df97bfc03a56200b07315d3b3a64c5d5875acff6b5da9fe733
Instruction Fuzzy Hash: 142186B1500204AFE721CF69DD45F66FBE8EF04710F0488AAEA498B652D375F908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00BFAA44

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d7abbc04e0d49842d1fc297a78accc515bb394aa910b2c36edf4fd478fe7245d
Instruction ID: f0b8ac0633a745a7ba6b084c02408ad7373b850bae61c6464eb788ed57b5ea01
Opcode Fuzzy Hash: d7abbc04e0d49842d1fc297a78accc515bb394aa910b2c36edf4fd478fe7245d
Instruction Fuzzy Hash: 142139A540E3C4AFD7138B258C64A51BFB4EF53624B0E80DBD9848F6A3D1685C0DC772

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,D83BCAC2,00000000,00000000,00000000,00000000), ref: 00BFACBD

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: aae8543f74123341a899ff131f738fd429861be8fb4250a1b5ec2a74b6b6f6d0
Instruction ID: 8701fa27c93d14a5a18a1cd1abbd4e29c3a6ca5bb535971ce4575aa9b55a0b12
Opcode Fuzzy Hash: aae8543f74123341a899ff131f738fd429861be8fb4250a1b5ec2a74b6b6f6d0
Instruction Fuzzy Hash: F621D8B54083846FE7228B15DC40BA2BFB8DF47714F0984D7F9848B693D264AD09D771

Uniqueness

Uniqueness Score: -1.00%

Function 00BFB06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00BFB0DD

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bb6cbf9dc3f70fab3383f2c640ec66a4a8b2b6937010aea61bb4b94c84d7f259
Instruction ID: c5b5cb272f09621c3b32595c1c28ee3e151e8e7920d1e2c6d3d4f8316ab40a88
Opcode Fuzzy Hash: bb6cbf9dc3f70fab3383f2c640ec66a4a8b2b6937010aea61bb4b94c84d7f259
Instruction Fuzzy Hash: 612153B1604244AFE720DF29DD85FA6F7E8EF04314F0488AAE945DB641D775E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAB7C Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00BFABF0

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f1c7ff85c96590c13e9cd3a5eb647ed670b61d425a57ae8e40b432efae5264ec
Instruction ID: 34f1e753768f7587e49661422ff58cb4b23cb35e4510ec23c0ce51fb46d1b32c
Opcode Fuzzy Hash: f1c7ff85c96590c13e9cd3a5eb647ed670b61d425a57ae8e40b432efae5264ec
Instruction Fuzzy Hash: 5F21C2B55093C09FDB128F29DC95652BFB8EF07320F0984DBDD858F6A3D2649908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 00BFA690

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5a075b0d87e1e8288667edb0eb300610a633f9839d6aa289c46809baa1c16acd
Instruction ID: a1fc53dfe3a97a2c15d6f12853c7260a5d380f0ef77d630de78d2db6e0c21959
Opcode Fuzzy Hash: 5a075b0d87e1e8288667edb0eb300610a633f9839d6aa289c46809baa1c16acd
Instruction Fuzzy Hash: EE2115B15093C46FDB128B259C94A52BFB4DF07224F0984DBD9848F6A3D2699908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA573 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFA5DE

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6676a00b97c95389d0846d427cd6a72cb15741c1488beaef06e9b630aee8f64b
Instruction ID: a22bfcf88e4345a9dc117ee5b9f2c48b967024b0538f380dcac66e2003afbcc3
Opcode Fuzzy Hash: 6676a00b97c95389d0846d427cd6a72cb15741c1488beaef06e9b630aee8f64b
Instruction Fuzzy Hash: 2111B771404380AFDB228F55DC44B62FFF4EF4A310F0888DAED858B552C235A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAEAE Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E24,D83BCAC2,00000000,00000000,00000000,00000000), ref: 00BFAF0D

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9facdf4dab03aa7c5efeae232f9edb35745b11e0a491a181483ff413cc2c04d5
Instruction ID: 5c1f0b82e8856191f6febbba40a2d5e7d66133eb10eec16d9c3c2e174d029e1f
Opcode Fuzzy Hash: 9facdf4dab03aa7c5efeae232f9edb35745b11e0a491a181483ff413cc2c04d5
Instruction Fuzzy Hash: 2C11B6B1500204AFE721CF55DD84FA6FBE8EF04314F0488AAEA499BA51D374A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFB424 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00BFB480

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: c1a151e89756fc99b473a92d3f95f12cc035ca7faf0574cfde6a2aaab02635c2
Instruction ID: 450e5cea43e3c800798eb11f2cdff91943932d7414a82e807882a83a50abc999
Opcode Fuzzy Hash: c1a151e89756fc99b473a92d3f95f12cc035ca7faf0574cfde6a2aaab02635c2
Instruction Fuzzy Hash: C51160715093849FD712CF25DD94B52BFF8DF46220F0884EAED89CB653D268A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,D83BCAC2,00000000,00000000,00000000,00000000), ref: 00BFACBD

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ed8c5921a8e2b052de1692f9ba2df3bc430781ae1cb0ef243b475ecab7abafae
Instruction ID: f7b6b0edea5306c386686d5eb58c345eda1229b70a6f84202da744ee5cd28637
Opcode Fuzzy Hash: ed8c5921a8e2b052de1692f9ba2df3bc430781ae1cb0ef243b475ecab7abafae
Instruction Fuzzy Hash: A801C4B1500204AFE720CB09DD85BB6B7E8DF04724F14C4A6EE088B741D774A948CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFB446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00BFB480

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 19f028a8f99688954b3bb21f8b7f96d78f2005cba266c80b905a9b60ebf09110
Instruction ID: 8f20e5a8f2db858d138fdd8126fed38784852dc36bee3cee8a80b92bafc98917
Opcode Fuzzy Hash: 19f028a8f99688954b3bb21f8b7f96d78f2005cba266c80b905a9b60ebf09110
Instruction Fuzzy Hash: C90140716042449FDB10CF1ADA85B66FBE4EF04721F08C4AADE49CB756D778E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFA5DE

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 81379758b7a11370cd650541e0bd373057b4e74b864d169579113abd50fd2538
Instruction ID: bb1ba802f783f8ce2cbef4f986881e9eb5747716d3649d546131fea826cce427
Opcode Fuzzy Hash: 81379758b7a11370cd650541e0bd373057b4e74b864d169579113abd50fd2538
Instruction Fuzzy Hash: 42016172500604AFDB21CF55D944B66FFE0EF48720F08C9AADE498BA52D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00BFABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00BFABF0

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b6a00507f5ece4a39795d86a1c0cb4527a0aa0411fe9de1c486f17b4ac8cd8c0
Instruction ID: 6d347aeb90bc9cb3416870ce0814710cdfc19409fe0dca6f4f116485f5517745
Opcode Fuzzy Hash: b6a00507f5ece4a39795d86a1c0cb4527a0aa0411fe9de1c486f17b4ac8cd8c0
Instruction Fuzzy Hash: D8018FB56042449FDB20CF1ADD85766FBE4DF04321F08C4AADE498BA56D279E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00BFA77E

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c4f7c4b9133b4e910f2617f7e4b0eee0e17f46cafddbf5c3f264c5038a038100
Instruction ID: 54dc5cbb0edce85af61f8192ddc12e3cb072a1fb0574450342051566b5912b3a
Opcode Fuzzy Hash: c4f7c4b9133b4e910f2617f7e4b0eee0e17f46cafddbf5c3f264c5038a038100
Instruction Fuzzy Hash: C301D671600600AFD320DF1ACD46B66FBE8FB88A20F148159EC089BB41D771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00BFA690

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ffd1700344ba8ffa38b9f115dca67f1e5141bc8b7550c8ec8204849011f71048
Instruction ID: ec9a76843211c036a6f5afd5f92dafd406833d1985676554c267b229353e353d
Opcode Fuzzy Hash: ffd1700344ba8ffa38b9f115dca67f1e5141bc8b7550c8ec8204849011f71048
Instruction Fuzzy Hash: BC0162B1504244AFDB20CF59D984766FBE4DF44321F0CC4EADD498F656D279A908CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00BFAA44

Memory Dump Source

Source File: 00000000.00000002.1662736654.0000000000BFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfa000_JawnEmT6S2.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0e9155dc19249e09466dd8797c67431559d2c718db268821fc8aba1353c5dc6c
Instruction ID: 3ca4d17e30d813c0bbb18c464dedd7b9447cb4630484aa314df4f5e79dc303f2
Opcode Fuzzy Hash: 0e9155dc19249e09466dd8797c67431559d2c718db268821fc8aba1353c5dc6c
Instruction Fuzzy Hash: 60F0A4755006449FDB20CF09DA84765FBE0DF04725F08C0EADE494BB52D279A90CCF62

Uniqueness

Uniqueness Score: -1.00%

Function 04CD3801 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33b5a9b33e72971e6d7fd5df22ca2ac31da31e653cd99af5efd3b4177bd7fb5
Instruction ID: 8aa4b9e6f5d2ef5f76dec80050bbbef233610b6e4d1db1103b5b89a3f37b56b7
Opcode Fuzzy Hash: f33b5a9b33e72971e6d7fd5df22ca2ac31da31e653cd99af5efd3b4177bd7fb5
Instruction Fuzzy Hash: 43324A30A10218CFDB24EF75D855BEDB7B2EB48304F1045AAD509AB3A5DB799E85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04CD39BF Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b981d7581f684bfcdcf36d1c904740997f80de393f67ed49bdb0ae9ae618215
Instruction ID: be5c56dccc185afe68f9c48d4d851ff4147b2a9f419a93dbebd289543317169e
Opcode Fuzzy Hash: 5b981d7581f684bfcdcf36d1c904740997f80de393f67ed49bdb0ae9ae618215
Instruction Fuzzy Hash: 70815B30A002588FDB14EFB4D851BECB7B2EF85308F1045AAD50AAB2A4DB799D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04CD3B18 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e4b0bf885725e59bd51b91421dfd3e69f30fa085a1c4bc3a20fa19086aa2ff
Instruction ID: 0fb859a95c219c336e6002e08f254cf798a61971fb8a924f7f24f3f90066c9d8
Opcode Fuzzy Hash: 09e4b0bf885725e59bd51b91421dfd3e69f30fa085a1c4bc3a20fa19086aa2ff
Instruction Fuzzy Hash: 39417F30A00258CFDB14EFB5D911BECB7B2EF44308F1041AAD009AB2A5DB795E84CF52

Uniqueness

Uniqueness Score: -1.00%

Function 04CD3520 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ca7ef8e65c548efbc7030b557a424540f6c6b0b1a4122fb0f5dd5cb97989f1
Instruction ID: 0453ea56ebef32bf91c5a0f27416519ca31990d4c221aaebdc60cea7e7372e7b
Opcode Fuzzy Hash: d3ca7ef8e65c548efbc7030b557a424540f6c6b0b1a4122fb0f5dd5cb97989f1
Instruction Fuzzy Hash: 1D31A030B102115FDB14BB7AD8127BE72A7EF88208F14443AD506977A5DF39A9168BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04CD0006 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4afc841993e88e2beb27dd3ba5dddcff809e32c1e0595716df81d01c0a18113
Instruction ID: 4b1037ad9a3cbbf74def2819be55397e7dd5125306841e329dc86afdd7616d82
Opcode Fuzzy Hash: d4afc841993e88e2beb27dd3ba5dddcff809e32c1e0595716df81d01c0a18113
Instruction Fuzzy Hash: 4011EEA140F3C25FD7034B3298652943F70AF53218B4A45EBD080CBAA7E29C1A0EDB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CD0123 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319cfd444f7a0d264f64bb98a70f50480764c5b84474565071674b8b7635cf41
Instruction ID: 27e435adef8ea3034abe0c4c4b85ca47fd7caddb8ab8bb2b0d709959c08ca95b
Opcode Fuzzy Hash: 319cfd444f7a0d264f64bb98a70f50480764c5b84474565071674b8b7635cf41
Instruction Fuzzy Hash: 7401C0317042405FC324F77AA462AAD23979BC6348724587DD001AB796CFAE9C0E8792

Uniqueness

Uniqueness Score: -1.00%

Function 04CD0128 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7579010ae830f6c4ccdf950854bed4aaee5ab11c8f4b49e7a2c765bc2bb8dc1e
Instruction ID: 21591cee7b3fdb7d1287407a663a936a72fbf85c16f97d9e0a1a9367f604c48f
Opcode Fuzzy Hash: 7579010ae830f6c4ccdf950854bed4aaee5ab11c8f4b49e7a2c765bc2bb8dc1e
Instruction Fuzzy Hash: CB0192317002005BC324F77A9462AA9228B97C6348754587DD001AB795CFBD9C4A87D2

Uniqueness

Uniqueness Score: -1.00%

Function 00E005E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662982392.0000000000E00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e697f070ba4ad4e6c58f50f21aae86e16e4f6be02add991ee8c9fff890569a4
Instruction ID: 468ffeb89d20e94ddd2ee2a86b08316fc239d398d9df2b4c09549f66f47a1b49
Opcode Fuzzy Hash: 0e697f070ba4ad4e6c58f50f21aae86e16e4f6be02add991ee8c9fff890569a4
Instruction Fuzzy Hash: C2F08BB65097806FD711CF15DC40863FFA8DB46620709C49FFC498B652D125A904C775

Uniqueness

Uniqueness Score: -1.00%

Function 04CD00B8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369e3bc36c5880751943ae371692de5b36ed530611e1d662651e80d019c6ffaa
Instruction ID: 579310486763a55d087d122ca49d4f2a61cce5ddfc5099ded978ba0e7c253d19
Opcode Fuzzy Hash: 369e3bc36c5880751943ae371692de5b36ed530611e1d662651e80d019c6ffaa
Instruction Fuzzy Hash: A6F0F631A44344AFEB05DB708C12BAE7F779F82214F1485AAD645DB1D2DA355842C391

Uniqueness

Uniqueness Score: -1.00%

Function 04CD00B3 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9768b9337782833abc6f108a3b01bf9d6362f35ee5e66f8e39a639633b4b96cb
Instruction ID: 6a7063139bef533c79bfacbcd867c5064125d2118bfab18fceaeb4f4c7c1594f
Opcode Fuzzy Hash: 9768b9337782833abc6f108a3b01bf9d6362f35ee5e66f8e39a639633b4b96cb
Instruction Fuzzy Hash: 8DF0B431A40304ABEF14DAB49852BEE7B629B80314F20816DD506AB1C0DA3259418780

Uniqueness

Uniqueness Score: -1.00%

Function 00E00606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662982392.0000000000E00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d3e9b3a8d44720f1e4cab98bfa59730f1cf3b9a58ead8a797f9e3aaf6e0ac1
Instruction ID: e54691cfdabf1c3b4d204072c1349767c3453b8527b8bf01a73448d4d0362fa4
Opcode Fuzzy Hash: 24d3e9b3a8d44720f1e4cab98bfa59730f1cf3b9a58ead8a797f9e3aaf6e0ac1
Instruction Fuzzy Hash: A5E092B66006005FD660CF0EEC41456F7D8EB84630B08C47FDC0D8BB01E276B909CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BF23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662723254.0000000000BF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf2000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e35946aa9a22ed60fa895130d7835fd2a96bdf7bded551860ac7cb217fd4eef
Instruction ID: 9e199c621e02cfff953e9f35f60a1208cb23faf3ce224097e36ffb1efc202c7e
Opcode Fuzzy Hash: 5e35946aa9a22ed60fa895130d7835fd2a96bdf7bded551860ac7cb217fd4eef
Instruction Fuzzy Hash: E7D02E392006C04FD3238B0CC2A5BA537D4AB80704F0A04FAA800CB763C7A8D884C200

Uniqueness

Uniqueness Score: -1.00%

Function 04CD36B1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04985d5a4c898a773fd1dc10cb05f2647d29896fff599bdf42a7e8e5a5911c38
Instruction ID: ef6d396547be75f5f07beb07795460a821c65ea43ee68a350b3564749072e641
Opcode Fuzzy Hash: 04985d5a4c898a773fd1dc10cb05f2647d29896fff599bdf42a7e8e5a5911c38
Instruction Fuzzy Hash: 22D0C770262314CFC71D2B74A41982D336AAB8930D35004BDD8065B764DF7AD456CA81

Uniqueness

Uniqueness Score: -1.00%

Function 00BF23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1662723254.0000000000BF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf2000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9365664e1d67e91de23275c0a5272e2b64312bc58634eaf5d8ce89acde314ab5
Instruction ID: 902a1dc7b695a083baad8efb59eebe40314df2fca1a6fed3577620e985bf21b7
Opcode Fuzzy Hash: 9365664e1d67e91de23275c0a5272e2b64312bc58634eaf5d8ce89acde314ab5
Instruction Fuzzy Hash: 54D05E742006854FC725DB0CC2D4F6937D4AB44714F0644E8AC108B762C7B8D8C8DA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04CD44F1 Relevance: 4.1, Strings: 2, Instructions: 1624COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 5063c548fb86cdc7ccbb2d66d8e0e1a243c2ea38793911506553798f0acb7c2e
Instruction ID: c4730a21a815cbee938502c71dffb0f213f5e407849728baa5e1cceeef44d9fc
Opcode Fuzzy Hash: 5063c548fb86cdc7ccbb2d66d8e0e1a243c2ea38793911506553798f0acb7c2e
Instruction Fuzzy Hash: 09035E74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD4544 Relevance: 4.1, Strings: 2, Instructions: 1618COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 9fe8d4bfcc5ada0a090ee9b1ec063badcc6c2d07d017f7263a68a3c9e369375a
Instruction ID: b57a77595bcc367cb83936029cdaf08c14ded7b7c2a07f08dcef8433d870d6bf
Opcode Fuzzy Hash: 9fe8d4bfcc5ada0a090ee9b1ec063badcc6c2d07d017f7263a68a3c9e369375a
Instruction Fuzzy Hash: 98036E74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD4630 Relevance: 4.1, Strings: 2, Instructions: 1579COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: b5d20849b7cfe30e06c9b86ec134ccf6aa8695d923328cdf5148f22f619d85c2
Instruction ID: d66803cc5c2542bd4b9433feb90de1cdf008a737ee59848f0beaef3ecd95738e
Opcode Fuzzy Hash: b5d20849b7cfe30e06c9b86ec134ccf6aa8695d923328cdf5148f22f619d85c2
Instruction Fuzzy Hash: A5035E74A11228CFDB25EF35D864BA9B7B2FB48304F1041EAD90967395DB399E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD470F Relevance: 4.0, Strings: 2, Instructions: 1544COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: b33d006c7908e42f885b17a5ad340dd7fd161a9f32bd48d5864b7c405ba68ab6
Instruction ID: e155c9ffa5e3143f189e925e146a7ad0b45cf5df0e4aef61d77b4590dff54440
Opcode Fuzzy Hash: b33d006c7908e42f885b17a5ad340dd7fd161a9f32bd48d5864b7c405ba68ab6
Instruction Fuzzy Hash: C2F26E74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD47D4 Relevance: 4.0, Strings: 2, Instructions: 1513COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: fa8e846b650249a7d0f9150906ef1cd130697c0d6f0ec95fcd03e6407ebcd612
Instruction ID: 03580d38819df68de6dffea47730c28af4c9be3c40e2feaa83be08a9b947924b
Opcode Fuzzy Hash: fa8e846b650249a7d0f9150906ef1cd130697c0d6f0ec95fcd03e6407ebcd612
Instruction Fuzzy Hash: 0EF26E74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD4936 Relevance: 4.0, Strings: 2, Instructions: 1456COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: d1aec73484b89ceebf3d961069224822a7898a38562922b4b3e959d95369869f
Instruction ID: d75cd7a4f92d4ea44827176b48b024b04a0441bb627a940c919740a02cadab62
Opcode Fuzzy Hash: d1aec73484b89ceebf3d961069224822a7898a38562922b4b3e959d95369869f
Instruction Fuzzy Hash: B8F26D74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD499D Relevance: 3.9, Strings: 2, Instructions: 1447COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: e1482b8c1af611d4fb7bcc472b94ed4b45debec3a25809a039934ca25a1337f9
Instruction ID: 7ef5493bd61d449b8ceb92397545268cd8f24438d302cafb3882b8ec910d7ffb
Opcode Fuzzy Hash: e1482b8c1af611d4fb7bcc472b94ed4b45debec3a25809a039934ca25a1337f9
Instruction Fuzzy Hash: 65F26D74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD49F9 Relevance: 3.9, Strings: 2, Instructions: 1440COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: 160ba2f97ddc1b2b0fc7b7d1683b18f6b09bb97401cb31d2ba66d95a0df78338
Instruction ID: 6605cb46609450531c575fadee4afe2feb43918c3e0d33dc34175877471e9657
Opcode Fuzzy Hash: 160ba2f97ddc1b2b0fc7b7d1683b18f6b09bb97401cb31d2ba66d95a0df78338
Instruction Fuzzy Hash: 21F26D74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD4B5B Relevance: 3.9, Strings: 2, Instructions: 1383COMMON

Download Yara Rule

Strings

, xrefs: 04CD4BC4
|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: $|t
API String ID: 0-1654681884
Opcode ID: d3d01f22aa9c0b614bcde421d455ef46999462a28d695efe5cb6393de0695741
Instruction ID: 03f81c5c448ec9e13aeaf2f0a65dfe6aefcc675ca301646d4ffc0ba1c76a95a7
Opcode Fuzzy Hash: d3d01f22aa9c0b614bcde421d455ef46999462a28d695efe5cb6393de0695741
Instruction Fuzzy Hash: C0E26C74A01228CFDB25EF35D964BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD4C8F Relevance: 2.6, Strings: 1, Instructions: 1362COMMON

Download Yara Rule

Strings

|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 7e909590a1902f2a8fb7d369b8d78e22c84bee446babac61dbf204cd9922ad2c
Instruction ID: d54f6c8882b441d41a0d61102e490550efe77966be4b96f5064fd84a50c1fc77
Opcode Fuzzy Hash: 7e909590a1902f2a8fb7d369b8d78e22c84bee446babac61dbf204cd9922ad2c
Instruction Fuzzy Hash: DFE26D74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD4F2F Relevance: 2.5, Strings: 1, Instructions: 1245COMMON

Download Yara Rule

Strings

|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: f831173ec4cd8fe2bd0f9d2ece8b872e0255bd06d36aaedaa5e6629f12412776
Instruction ID: 8d38f1cc5426d489f933c72ddd1ff5bdd0f577028532b9e75e2fe646fda90a18
Opcode Fuzzy Hash: f831173ec4cd8fe2bd0f9d2ece8b872e0255bd06d36aaedaa5e6629f12412776
Instruction Fuzzy Hash: 0DD25C74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD4F9D Relevance: 2.5, Strings: 1, Instructions: 1236COMMON

Download Yara Rule

Strings

|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 978942f8b7c10b3274a558ba30839ff2ac2f54ce90a43b8eb0e9f1cd59413b10
Instruction ID: d9abfd3e315cd6c2c3082068da06fc2cec57f4b91397cf7d23249f182922b323
Opcode Fuzzy Hash: 978942f8b7c10b3274a558ba30839ff2ac2f54ce90a43b8eb0e9f1cd59413b10
Instruction Fuzzy Hash: 30D25C74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD5000 Relevance: 2.5, Strings: 1, Instructions: 1230COMMON

Download Yara Rule

Strings

|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: bd9a442cc2edabbfca2ccdd4b277792e512a32c1fe4fea190876e027403fb76b
Instruction ID: 05de0d90410581955d979b1e691fb4d331b53b079e40d23e1c07df0c46a83432
Opcode Fuzzy Hash: bd9a442cc2edabbfca2ccdd4b277792e512a32c1fe4fea190876e027403fb76b
Instruction Fuzzy Hash: C6D25C74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD505D Relevance: 2.5, Strings: 1, Instructions: 1225COMMON

Download Yara Rule

Strings

|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: 50661b14c5d2226e3a7124f397bc8e32b5d6b8965aeef7030b9e01e8b4272f4b
Instruction ID: 7ce3e3344d4a995814816331806ea8b11bb7a8dcb984ca0ce6924cd97fbf96a5
Opcode Fuzzy Hash: 50661b14c5d2226e3a7124f397bc8e32b5d6b8965aeef7030b9e01e8b4272f4b
Instruction Fuzzy Hash: C1D26D74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD50E3 Relevance: 2.5, Strings: 1, Instructions: 1210COMMON

Download Yara Rule

Strings

|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: bbe068ffabe40955fb4daca45a3144def869faae944fd23101dc11ab94ed15a8
Instruction ID: b32b42dfb267280c39aacc8d8cabaf274e006eee97bdb956c6e94e98e87e9ef7
Opcode Fuzzy Hash: bbe068ffabe40955fb4daca45a3144def869faae944fd23101dc11ab94ed15a8
Instruction Fuzzy Hash: 32D25D74A11228CFDB25EF35D864BA9B7B2FB48304F1081EAD90967395DB359E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD536F Relevance: 2.3, Strings: 1, Instructions: 1071COMMON

Download Yara Rule

Strings

|t, xrefs: 04CD53CE

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: |t
API String ID: 0-1785604035
Opcode ID: de81fb302780b69b72a79a1a1c0415c65d961fc5d07e1a623207c1bda323e184
Instruction ID: 07561fc0b3731315b4d0d742c7c66a82d650656ecc81480aa4397c88ae77c63b
Opcode Fuzzy Hash: de81fb302780b69b72a79a1a1c0415c65d961fc5d07e1a623207c1bda323e184
Instruction Fuzzy Hash: F5C23C74A01228CFDB25EF34D965BA9B7B2FB49304F1081EAD90967395DB359E81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04CD36F0 Relevance: 5.1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

N, xrefs: 04CD375D
N, xrefs: 04CD3719
N, xrefs: 04CD37BA
N, xrefs: 04CD3780

Memory Dump Source

Source File: 00000000.00000002.1663816528.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cd0000_JawnEmT6S2.jbxd

Similarity

API ID:
String ID: N$N$N$N
API String ID: 0-91100018
Opcode ID: d9f1cd6c658b28d7a00c926b67d6a9dad5eafa10e09ae27d3302ce502469ec87
Instruction ID: 7d397f1b3cc779fa414a0c13f0bb780c14254df42d743da088c89bdb068524f7
Opcode Fuzzy Hash: d9f1cd6c658b28d7a00c926b67d6a9dad5eafa10e09ae27d3302ce502469ec87
Instruction Fuzzy Hash: 9B2151757012499FEB20DF69C981BAA73E6FF89344F150468E901EB794EB70FD048791

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: server.exePID: 5460, Parent PID: 6596COMMON

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.8%
Total number of Nodes:	108
Total number of Limit Nodes:	6

Executed Functions

Function 00BF4298 Relevance: 3.2, Strings: 1, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00BF4C24

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0df31e6e551ea35b651c531426adf3ecf52630b9b1ceb6091c7b687a025b6592
Instruction ID: 3f7a053757f4b3141176e3fdff4776eda97838b3e46aefbb0c197e0da1fe76a3
Opcode Fuzzy Hash: 0df31e6e551ea35b651c531426adf3ecf52630b9b1ceb6091c7b687a025b6592
Instruction Fuzzy Hash: 5A234A74A01228CFDB25EF34D9A4BA9B7B2FB49304F1041E9D60967398DB399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF44F1 Relevance: 2.9, Strings: 1, Instructions: 1624
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00BF4BC4

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5f244475f901af14db7c247b2e93bf93daecb051186c839c04365e7443cedd8d
Instruction ID: f4673f2dd16d987d8ef3e8982c727f7c0ddcf89e2d858242b13fba117f276774
Opcode Fuzzy Hash: 5f244475f901af14db7c247b2e93bf93daecb051186c839c04365e7443cedd8d
Instruction Fuzzy Hash: FA035E74A01228CFDB25EF34D994BA9B7B2FB49304F1041E9D60967398CB399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4630 Relevance: 2.8, Strings: 1, Instructions: 1579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00BF4BC4

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 743d6ff0d53f05ac08d945627fabd66ac1efc8588301b7cd86b5631192c042a9
Instruction ID: 0f4d90cbc9f869657e0467f5130f3100501acbbcf7658576bd206487174358a3
Opcode Fuzzy Hash: 743d6ff0d53f05ac08d945627fabd66ac1efc8588301b7cd86b5631192c042a9
Instruction Fuzzy Hash: 07035D74A01228CFDB25EF34D9A4BA9B7B2FB49304F1041E9D90967398CB399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF470F Relevance: 2.8, Strings: 1, Instructions: 1544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00BF4BC4

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ed92fd3c2f96add6a6ac46e5522b5d3753ee58357cd2d9e4590ab45356c5e483
Instruction ID: 239a32688a7f107fac21464e299aade123efd9aca1bc7e80e83fd237a6aa2f44
Opcode Fuzzy Hash: ed92fd3c2f96add6a6ac46e5522b5d3753ee58357cd2d9e4590ab45356c5e483
Instruction Fuzzy Hash: D4F25D74A01228CFDB25EF34D9A4BA9B7B2FB49304F1041E9D60967398CB399E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF47D4 Relevance: 2.8, Strings: 1, Instructions: 1513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00BF4BC4

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 64fed6230a9fb8a2dbd9242e484be6f752340b5e98000d18ee692e050016a528
Instruction ID: 7520fddf310687f051e63b75c7819a9d40f2cedeb425dd8c1629fa9f4b62daec
Opcode Fuzzy Hash: 64fed6230a9fb8a2dbd9242e484be6f752340b5e98000d18ee692e050016a528
Instruction Fuzzy Hash: 52F25C74A01128CFDB25EF34D9A4BA9B7B2FB49304F1041E9DA0967398CB395E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4936 Relevance: 2.7, Strings: 1, Instructions: 1456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00BF4BC4

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f21a114e998f765eceab2989255793ce3584b53aa3469928b28e6f8facf5fdcc
Instruction ID: 8629ee59ed864bfbd59ec3d952affa1888b41faf0142c8563810e47f4910d2e8
Opcode Fuzzy Hash: f21a114e998f765eceab2989255793ce3584b53aa3469928b28e6f8facf5fdcc
Instruction Fuzzy Hash: C1F25D74A01128CFDB25EF34D9A4BA9B7B2FB49304F1041E9DA0967398CB399E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF499D Relevance: 2.7, Strings: 1, Instructions: 1447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00BF4BC4

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 713a3dedd61dba8162d660e8e33b2daa3b3a17d0376ed1418f3f8d65deb49e88
Instruction ID: 8ec5e8621c85fefe0ec0e0812f63f661091a7984394cf16fa0f630d7fb4cd8df
Opcode Fuzzy Hash: 713a3dedd61dba8162d660e8e33b2daa3b3a17d0376ed1418f3f8d65deb49e88
Instruction Fuzzy Hash: B3F25D74A01128CFDB25EF34D9A4BA9B7B2FB49304F1041E9DA0967398CB399E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF49F9 Relevance: 2.7, Strings: 1, Instructions: 1440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00BF4BC4

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dc1cbbf679402bee816adf498c3ba984b56f42ffc961ddab9849112c4b195bed
Instruction ID: 0a2783e9ec57b6709f1f3c40859aa0f0a33b622bb5efb01ce9a8635ee2f5957e
Opcode Fuzzy Hash: dc1cbbf679402bee816adf498c3ba984b56f42ffc961ddab9849112c4b195bed
Instruction Fuzzy Hash: B1F25D74A01228CFDB25EF34D9A4BA9B7B2FB49304F1041E9D90967398CB399E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FA00B3 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04FA0133

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 1ec9583a788b86c763bdd89f8cf1aed02729647af0731ba8bfa212d78e3abb8c
Instruction ID: 11d887fc483f8fec9f21fab64a5b753c4635a34afd94d09cba04a9953f96fbc7
Opcode Fuzzy Hash: 1ec9583a788b86c763bdd89f8cf1aed02729647af0731ba8bfa212d78e3abb8c
Instruction Fuzzy Hash: 1B21A1B5509780AFDB228F25DC44B92BFF4EF06310F0884DAE9858F563D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FA00EA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04FA0133

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f69e81fe8b5d370bbf5e388f9b332e39eaa1941920932c1e00d450762887fb23
Instruction ID: f0266d2e05635f0e6c0c853a36248998b549fd7355348ab8d95557479a43de10
Opcode Fuzzy Hash: f69e81fe8b5d370bbf5e388f9b332e39eaa1941920932c1e00d450762887fb23
Instruction Fuzzy Hash: 9911A0B2A003009FDB20CF15E944BA6FBE4EF08220F08C86AED458B662D775E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4C8F Relevance: 1.4, Instructions: 1362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7745e94cf9e3ba5afc92e5e89be72772c01f92a0a86946f840eb75c4a2072b16
Instruction ID: 4cceb658498c05cf79eb0ae5bc1fcc1b2134f9daf70776b1b504bcd909ca2410
Opcode Fuzzy Hash: 7745e94cf9e3ba5afc92e5e89be72772c01f92a0a86946f840eb75c4a2072b16
Instruction Fuzzy Hash: 08E25D74A01228CFDB25EF34D9A4BA9B7B2FB49304F1041E9DA0967398CB395E85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4F2F Relevance: 1.2, Instructions: 1245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1753bfa0330be0cfdc7045f5f1452bc3c168e977e5395f4100fb266a2bc029
Instruction ID: 5a385ccb4c93abf35c1076ebb1d99f545961d83e01b572d1968bb3c69a8440a7
Opcode Fuzzy Hash: 1d1753bfa0330be0cfdc7045f5f1452bc3c168e977e5395f4100fb266a2bc029
Instruction Fuzzy Hash: 65D25D74A01228CFDB25EF34D9A4BA9B7B1FB49304F1041E9D909673A8DB399E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4F9D Relevance: 1.2, Instructions: 1236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6e2cb2bb877fe27df1ef24c8015e1609ea0981890a8ba51605c2d3b968407b
Instruction ID: 0a6a0767c3eaab24966acaa8feeb1c77f56d3308004c299cb502f8339e9c3371
Opcode Fuzzy Hash: dd6e2cb2bb877fe27df1ef24c8015e1609ea0981890a8ba51605c2d3b968407b
Instruction Fuzzy Hash: A4D24D74A01228CFDB25EF34D9A4BA9B7B1FB49304F1041E9D909673A8DB399E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5000 Relevance: 1.2, Instructions: 1230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1c79ba0a2972510d670a56ac35ac533d436777939d293e6db50870c1c16817
Instruction ID: aaa8ca95cac0158a91fc38d21fd6505bf663fa82ac15d88e8d3abbc46c63b7af
Opcode Fuzzy Hash: 4a1c79ba0a2972510d670a56ac35ac533d436777939d293e6db50870c1c16817
Instruction Fuzzy Hash: 5DD24D74A01228CFDB25EF34D9A4BA9B7B2FB49304F1041E9D90967398DB399E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF50E3 Relevance: 1.2, Instructions: 1210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79b0a88296d3fe9ac35e5e4648785f0886263cdd45ba6e95ebc906b47257357
Instruction ID: 79dc53d03c63da86a57b67c4c57e4bb14c68f5431299d7162cf96e99577244f1
Opcode Fuzzy Hash: b79b0a88296d3fe9ac35e5e4648785f0886263cdd45ba6e95ebc906b47257357
Instruction Fuzzy Hash: B6D25C74A01228CFDB25EF34D9A4BA9B7B2FB49304F1041E9D90967398DB399E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2816 Relevance: 1.6, APIs: 1, Instructions: 129
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04FA2911

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a2c190aa7a85f62ce18978eef7e41d63a5f0badce0bbe2ca1d366006111f8637
Instruction ID: 7bd9380b469b7ab0d51f9646c9babaa2cc09583464bfcf41540de41bcd61553b
Opcode Fuzzy Hash: a2c190aa7a85f62ce18978eef7e41d63a5f0badce0bbe2ca1d366006111f8637
Instruction Fuzzy Hash: C0418FB15093806FE7238B259C50FA2BFF8EF06614F0945DBE984CB663D264E819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FA0E77 Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04FA0F3E

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1db1fe3b880d5fdc13be809484d1a139a6740cc0dc6b4b6203156a0cfcafdd2b
Instruction ID: 3d45c214959937c9baa06f38d5bd8bd6931bdd07d0f55100cfc052046f069efd
Opcode Fuzzy Hash: 1db1fe3b880d5fdc13be809484d1a139a6740cc0dc6b4b6203156a0cfcafdd2b
Instruction Fuzzy Hash: D2318D6510E3C06FD3138B258C61A61BFB4EF47610B0E45DBD8C48B6A3D2296919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1AA4 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04FA1B6B

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 39ac68d21e79d9c2faadea6c08c08311dc2e8e3ba41aa22cd944c99ca21ac614
Instruction ID: 6268a5db354e526c27499cd976f3477259516869b5189b3cec5e83d4fbf66ca7
Opcode Fuzzy Hash: 39ac68d21e79d9c2faadea6c08c08311dc2e8e3ba41aa22cd944c99ca21ac614
Instruction Fuzzy Hash: 9531B1B1504344AFEB21CF61CC84FA6FBACEF05314F04499AFA489B682D374A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FA199C Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA1A39

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: fc4d73de7309435f815b30a42236ab54bd9cacd807095f400fa767478b02daf2
Instruction ID: aaab6aef056216a043feb893647e85dc03fa37767d334282b7ba32e6a0f82f3d
Opcode Fuzzy Hash: fc4d73de7309435f815b30a42236ab54bd9cacd807095f400fa767478b02daf2
Instruction Fuzzy Hash: 9131E8B25043806FE7228F54DD45B96BFB8EF06310F09889BE9848B593D235A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1390 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04FA1427

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 237aad3c74def835af91efbce320bb1665b559f630679102a3bf572cf3d86473
Instruction ID: 219aae888f5ebfc1fd5528af3bc6032af1cbfce3e42415aef62f049d186db94b
Opcode Fuzzy Hash: 237aad3c74def835af91efbce320bb1665b559f630679102a3bf572cf3d86473
Instruction Fuzzy Hash: F831C3B1504344AFE721CF64DC45FA7BBF8EF06210F0888AAE984DB652D374E919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2876 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04FA2911

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ca5f23d721d981381325b8fc79292b15be252ad7e6b57bb98d8f5572c5b90b57
Instruction ID: 45fe6af0c04af6669e4ba81a5a8f8aabfd81549ab529e11b9d67da2260d1d564
Opcode Fuzzy Hash: ca5f23d721d981381325b8fc79292b15be252ad7e6b57bb98d8f5572c5b90b57
Instruction Fuzzy Hash: AB218BB2600304AFEB21DF65DC44FA7BBECEF18610F04886AE94586A52E734F5199B61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2BB8 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA2C4F

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f406b28a7b226a5626cea73c4bb9586f9d0086d97607cd2ae744b377eec6eca9
Instruction ID: a2695641f010ca5981e9dcc80207260921c1adf8e5454081d35ce3e8c9d32cd1
Opcode Fuzzy Hash: f406b28a7b226a5626cea73c4bb9586f9d0086d97607cd2ae744b377eec6eca9
Instruction Fuzzy Hash: B721D7B55093806FD713CF24DC55B96BFB8DF46224F0984DBE9448F293D225A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 04FA0320 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA03B4

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 1a5ce7032d443c3b285b10fdf315704a60055b0264395e21a1aaa0632d96cd01
Instruction ID: 21fdcde3fefcd439848f77df77e7fc1de98f0c3303a8e311b0dfda543aef8382
Opcode Fuzzy Hash: 1a5ce7032d443c3b285b10fdf315704a60055b0264395e21a1aaa0632d96cd01
Instruction Fuzzy Hash: F621E7B15093805FE7128F65DC45BA6BFB8EF46324F0884DBE944CF193D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1AC6 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 04FA1B6B

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 25f9358bef6763dd557762ea07e192249a060775c36173f85f64a6bf5aaf8305
Instruction ID: 8f85c3ab697a7e0f560d603f7233be48a03341eb341e55f6c6e714d77b4c2177
Opcode Fuzzy Hash: 25f9358bef6763dd557762ea07e192249a060775c36173f85f64a6bf5aaf8305
Instruction Fuzzy Hash: A521B1B1500204AEFB31DF61CD85FA6F7ACEF04714F04886AFA489A681E774A5198B71

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2AE9 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04FA2B78

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 7ea8dabacb5605b268ccae6e26e3c36416d34c18ddd3ece02e818dbf8b961428
Instruction ID: c75f07151d127bdfd339e77c539462605d8fa399071a11eceeca5375bb4a1561
Opcode Fuzzy Hash: 7ea8dabacb5605b268ccae6e26e3c36416d34c18ddd3ece02e818dbf8b961428
Instruction Fuzzy Hash: 70216DB56083809FDB22CF25CC44B52BFF8EF06210F0984DAE984CB263D275A919DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA0F6A Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04FA0FF6

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: fa31c47e42abd10baf24547a1716b95bf04aed828f86691930e65fa820095989
Instruction ID: f1ae1113751ab5816bff56d82984c5ed6015aca2a9e33f9359dabb268d0a895c
Opcode Fuzzy Hash: fa31c47e42abd10baf24547a1716b95bf04aed828f86691930e65fa820095989
Instruction Fuzzy Hash: 0B21CEB1404380AFE722CF55DD45F96FFB8EF09220F0888AEE9858B652D375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1546 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04FA15DA

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: dfc8aa3034cd8c3751cb0f0661716f00b3a47b7fa5ac566148dfb0c746fe62b6
Instruction ID: b565a6ec6c12b21bde33569dd6f7bac5333d35d077608c178c437eb4b195ff50
Opcode Fuzzy Hash: dfc8aa3034cd8c3751cb0f0661716f00b3a47b7fa5ac566148dfb0c746fe62b6
Instruction Fuzzy Hash: 3721A0B1404340AFE722CF15DD45F96FBF8EF09224F08889AE9848B652D375B908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA13B6 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04FA1427

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: d3ea4525107966958679da93049a11d27e2779f60162ab67c9d70d57ea9ccef9
Instruction ID: b2b1dc5ff5c851e6896e2ce9cd05a2a934a8eb5deeabfc77eb83d0682d1a8e00
Opcode Fuzzy Hash: d3ea4525107966958679da93049a11d27e2779f60162ab67c9d70d57ea9ccef9
Instruction Fuzzy Hash: B521D4B2600204AFEB20DF69DD45FABBBECEF05614F04886AED44DB642D374E5198B71

Uniqueness

Uniqueness Score: -1.00%

Function 04FA129E Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA133C

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 62e5917e43eb168c58782f84e8ba1e12494023a59113451511c538213fcc06e9
Instruction ID: f7509965fdfc2c85758f7862c00d8dfa12ace802b441a7b2d69e6dcf9f735186
Opcode Fuzzy Hash: 62e5917e43eb168c58782f84e8ba1e12494023a59113451511c538213fcc06e9
Instruction Fuzzy Hash: C9218DB1504740AFE722CF15DD44F57BBF8EF45610F09849AE9858B692D324A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2CB7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA2D33

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 57e32d491db50dd818e771ead950596e28613caefa9fbee26287335e19bd2a2d
Instruction ID: 9427a600b68d518eee5125f61828b46e1800f958bbed4aa39bc53ff32ded57c2
Opcode Fuzzy Hash: 57e32d491db50dd818e771ead950596e28613caefa9fbee26287335e19bd2a2d
Instruction Fuzzy Hash: CB2195B15053806FD722CF55DC45FA6BFB8EF45210F0888ABF944DB692D374A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04FA17DD Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA1860

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 4a7cf96d7ddc25cea6a923767f54090fca3fd79b03a3ace029a2fbd141634d57
Instruction ID: 57f2e669f89fccc7935a25cf59918370b101efcee089d74f438f38991d146bbd
Opcode Fuzzy Hash: 4a7cf96d7ddc25cea6a923767f54090fca3fd79b03a3ace029a2fbd141634d57
Instruction Fuzzy Hash: 4821C8B14093806FD722CB14DC44B56BFB8EF46210F0884DBE9449B252C378A508C761

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2A23 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA2A9F

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 1ee6b97d776d50c973bdc093000cbdacb267359a5c9839d8b8d3346cc7d85f98
Instruction ID: 2031bc3da8fe74b6555bc1e3fcbda8aa6de3e423cc753b91ebd263377f73dd03
Opcode Fuzzy Hash: 1ee6b97d776d50c973bdc093000cbdacb267359a5c9839d8b8d3346cc7d85f98
Instruction Fuzzy Hash: 8921A1B15093846FD722CF55DC84FA6BFB8EF45210F0888ABE9449B652D374A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 04FA0180 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04FA01EC

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 493f463fcf489e4f8ecdb21ac307da4218fdc49150ab208e191bc84da1ddf68a
Instruction ID: 20e7c68793f46f60610a0036abc2042e42977b7b36e66dd95aee85562b6f7dd5
Opcode Fuzzy Hash: 493f463fcf489e4f8ecdb21ac307da4218fdc49150ab208e191bc84da1ddf68a
Instruction Fuzzy Hash: 7B21A1B15093C05FDB128F25EC54B92BFB4AF07224F0984DAEC858F663D264A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA0F8A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 04FA0FF6

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 081568fbb38fa2756cacdd0fabcf558c6afc578f0eb17c4cd9b11e16fecd823c
Instruction ID: 074018ed3fec0655a593c68ddef6a465bc8d99b715a27f30b40faa82927ed978
Opcode Fuzzy Hash: 081568fbb38fa2756cacdd0fabcf558c6afc578f0eb17c4cd9b11e16fecd823c
Instruction Fuzzy Hash: AA21D1B1500240AFEB31CF55DD45FA6FBE4EF08320F04886EEA458A652D375B419CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1C76 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04FA1CF2

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 44e0704ffcfffd637b4561b8bfeb06193503cfea4930198d54019595e4458fd5
Instruction ID: 52c524cc9fede9e8e05e487c6a762234ed5cbf877964ef94b0420ccd75448ac0
Opcode Fuzzy Hash: 44e0704ffcfffd637b4561b8bfeb06193503cfea4930198d54019595e4458fd5
Instruction Fuzzy Hash: E4219271508384AFDB228F51DD44B52FFF4EF0A310F09889AED858B563D375A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1566 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04FA15DA

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4881186ff43664a7a3f676266770c63bd129fb4554ffeb10335c6bd5513b6bf8
Instruction ID: 418041edc1061fa3a4bf0f2920cedd60325e9ed1f7ea012874b0169c9f1be03c
Opcode Fuzzy Hash: 4881186ff43664a7a3f676266770c63bd129fb4554ffeb10335c6bd5513b6bf8
Instruction Fuzzy Hash: 0621C3B1500304AFE721CF5ADE45F96FBE8EF08224F04886AE9458B751D375F519CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1F32 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04FA1FBB

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1a6b9b557586df2dd1e7264ef64113565b8e50c0953c04e7aae32a3f8624a5a0
Instruction ID: d360bae77c765395f94adf68130ed02863e4a3d6abf44060053ca4286bd54704
Opcode Fuzzy Hash: 1a6b9b557586df2dd1e7264ef64113565b8e50c0953c04e7aae32a3f8624a5a0
Instruction Fuzzy Hash: DE11B4715043806FE721CB15DD85FA6FBB8DF46720F08849AFD449B692D374B948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA12CA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA133C

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0828970613c173b5fd170f9fda823e433ed5180aecfdcd59d2116f1039039fab
Instruction ID: 2fb7b7e34ef0d3ae26b8e9303bc45e373d510f8d71c015adaf983369f3664d90
Opcode Fuzzy Hash: 0828970613c173b5fd170f9fda823e433ed5180aecfdcd59d2116f1039039fab
Instruction Fuzzy Hash: EC1160B6600700AFEB21CF15DE45FA6B7E8EF04610F04846AE9858AA52D774F519CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA19DA Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA1A39

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 47acd38d8a6b6ff8c488987caa50b341aa466013d0b9eea2a9146ae3bce51590
Instruction ID: 28595b582c42b67b2634e2d8e642c5f6c3ea660d748a061653cf8598344a68b9
Opcode Fuzzy Hash: 47acd38d8a6b6ff8c488987caa50b341aa466013d0b9eea2a9146ae3bce51590
Instruction Fuzzy Hash: ED11D0B2600300AFEB218F55DD45BAABBA8EF04220F04886AED458A651D374B5198BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2BF6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA2C4F

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5cb742c66a1a78a3c971fa3095bb07dbef75a61a22bac0fd46492e4ba3a7be85
Instruction ID: b2c3f526d38003a8e3a88dc662137efedf3ff9f3ea19c220f54f716b9a2a6b8e
Opcode Fuzzy Hash: 5cb742c66a1a78a3c971fa3095bb07dbef75a61a22bac0fd46492e4ba3a7be85
Instruction Fuzzy Hash: F711C4B6600300AFEB21CF55DD45BA6BBA8EF44224F0488BAED45CB742D774A509CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2CDA Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA2D33

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 5cb742c66a1a78a3c971fa3095bb07dbef75a61a22bac0fd46492e4ba3a7be85
Instruction ID: bb89fcec40e3c3a2119e145ae96c7d19b7f41e20e5b677b14ff3b3f54af95647
Opcode Fuzzy Hash: 5cb742c66a1a78a3c971fa3095bb07dbef75a61a22bac0fd46492e4ba3a7be85
Instruction Fuzzy Hash: F411C8B16003009FE721CF55DD45BA6B7A8DF04324F04887AED45DB792D774A5058B71

Uniqueness

Uniqueness Score: -1.00%

Function 04FA035E Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA03B4

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 9bff63c8aadc17b89ed9a1fc290ccd3b1735e0f77d2c56cc4b2b5e3ad1ee2a2f
Instruction ID: 10785eb67740502e2e909df3748d017b30db20289e9f953ac9fb5d535c7752d5
Opcode Fuzzy Hash: 9bff63c8aadc17b89ed9a1fc290ccd3b1735e0f77d2c56cc4b2b5e3ad1ee2a2f
Instruction Fuzzy Hash: D911E7B1600300AFEB21CF19DD45BAABBA8DF04624F04887AED44CB641D774A505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2A46 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA2A9F

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d5fa67bcd69cec0507fff807c2422f503f8e632bcae9c7a4a03848e8d6c12db5
Instruction ID: 6c289c05d621f41ab7a7befd2e55f09b856a5d015fa3882e96239b71979dbed5
Opcode Fuzzy Hash: d5fa67bcd69cec0507fff807c2422f503f8e632bcae9c7a4a03848e8d6c12db5
Instruction Fuzzy Hash: F711C4B2600200AFE731CF55DD44BA6BBA8DF04324F04C8A6ED458B641D374A5098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FA180A Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,0315147C,00000000,00000000,00000000,00000000), ref: 04FA1860

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 2c6129d9570cfd0df3ba41b7e10d278ce72e0517a146ec931068d77068837c5a
Instruction ID: 23c63615914f54352de0ab1f3f3a34c4f6fc650f70f358c577cd36aa0a99656b
Opcode Fuzzy Hash: 2c6129d9570cfd0df3ba41b7e10d278ce72e0517a146ec931068d77068837c5a
Instruction Fuzzy Hash: D211C6B5500200AFEB21CF15DD85BA6BBA8DF44724F048866ED449B641D374A5098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1F52 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E24), ref: 04FA1FBB

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8d44190c21e724035a54460b6d19acbf5b3cd18e97ff02b8eaeeb65e5412f20b
Instruction ID: 9142a6d4db86836fe4aff41139f8cb8a79b2bc512688dabafbc019ec210352a8
Opcode Fuzzy Hash: 8d44190c21e724035a54460b6d19acbf5b3cd18e97ff02b8eaeeb65e5412f20b
Instruction Fuzzy Hash: 8411E5B1500340AFE730DB15DE41FA6F7A8DF44724F14846AFE045A781D3B8B509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2B22 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

select.WS2_32(?,?,?,?,?), ref: 04FA2B78

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 48815bec48153c307bf3a9456acd20132e9059066874fab7b913cb851a5856ce
Instruction ID: 13856a3b9d8a669c6a8eefd77518aece057bdb41f4935b58a88c0a54a5f3aa6e
Opcode Fuzzy Hash: 48815bec48153c307bf3a9456acd20132e9059066874fab7b913cb851a5856ce
Instruction Fuzzy Hash: 08116DB56002009FDB20CF15C984B96FBE8EF08650F0884EADD49CB762D334E419CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1CA6 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04FA1CF2

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 8a19b3d3798f8f8e50e18610860a0f75c31f20220262b3b59973c8824267c43d
Instruction ID: 4c7831b486d13c491aa621a674b80856cbc0f489c46c85b2a37bc0a9c7068aeb
Opcode Fuzzy Hash: 8a19b3d3798f8f8e50e18610860a0f75c31f20220262b3b59973c8824267c43d
Instruction Fuzzy Hash: E6117C766002049FDB20CF55DA44BA2FBF4EF08321F0888AAED858B662D375E419DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FA0EEE Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04FA0F3E

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d4969067f5d63020a741f5d0a5706aacaa149764fd3d62c90829792c43fb49f0
Instruction ID: 38603ce5502ecdd3d3b03a6726c2b0938a7afa6d30e043e768aa09d32ebef08f
Opcode Fuzzy Hash: d4969067f5d63020a741f5d0a5706aacaa149764fd3d62c90829792c43fb49f0
Instruction Fuzzy Hash: FA01A271600205ABD210DF1ACD46B66FBE8FB88A20F14852AED089BB41D771F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FA01BA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04FA01EC

Memory Dump Source

Source File: 00000001.00000002.4109766561.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fa0000_server.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b6e0b76789f31ea96720cd61dd7b92468ee858802918b5776d8d30051fb0ecee
Instruction ID: 6d78420017aa2f48fc594d1ac894f891be15cc7e47f28a6031a123acbc8fb771
Opcode Fuzzy Hash: b6e0b76789f31ea96720cd61dd7b92468ee858802918b5776d8d30051fb0ecee
Instruction Fuzzy Hash: E601D4B5A043408FDB10CF59E984766FBE4DF04225F08C4BADD498BA42D674E518CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BF79D4 Relevance: 1.1, Instructions: 1079COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bfacfdeb33ebbcd6add50f9c09d71cfd9abc587daf1ac75707fd79367c4d0a
Instruction ID: 054993c09a874ecba128a6fa532d5caa0769f9ca7d0be5ead76987956633ad7c
Opcode Fuzzy Hash: 48bfacfdeb33ebbcd6add50f9c09d71cfd9abc587daf1ac75707fd79367c4d0a
Instruction Fuzzy Hash: 0992C034704165CFDF215B6AE810BBA7BE6EB89344F1084A7984693BD8CF349D59EF20

Uniqueness

Uniqueness Score: -1.00%

Function 00BF7A0E Relevance: 1.1, Instructions: 1076COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed9d92e91be483f2f0bc537487497737137a58b88493471ec58931d9c05b60b
Instruction ID: a78ef6998593bff793272c3e9082e882cea62176ccbc9a3bda06467479af0588
Opcode Fuzzy Hash: aed9d92e91be483f2f0bc537487497737137a58b88493471ec58931d9c05b60b
Instruction Fuzzy Hash: A892D034704165CFDF215B2AE810BBA7BE6EB89344F1084A7984693BD8CF348D59EF20

Uniqueness

Uniqueness Score: -1.00%

Function 00BF7A3D Relevance: 1.1, Instructions: 1075COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c531fd4ca7a2be6db9a053ca969bf2c4f6aafcb7166ec91473186a423ad762
Instruction ID: 931edba8d77557480983d5d241096da1798c7bde6f6fcd11eca4846840e7ac85
Opcode Fuzzy Hash: 51c531fd4ca7a2be6db9a053ca969bf2c4f6aafcb7166ec91473186a423ad762
Instruction Fuzzy Hash: DA92D034704165CFDF215B2AA810BBA7BE6EB89344F1084A7984693BD8CF348D59EF20

Uniqueness

Uniqueness Score: -1.00%

Function 00BF562A Relevance: 1.0, Instructions: 963COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dad99a8ea6475d878576e2d1a59963eb922f9b08662e4603e8e1dcc7c6e415
Instruction ID: 60f027ef2692f461d83a4d181b789b9cf34c39d1fc231918ac856f73bbeea6b6
Opcode Fuzzy Hash: f6dad99a8ea6475d878576e2d1a59963eb922f9b08662e4603e8e1dcc7c6e415
Instruction Fuzzy Hash: FEB21A74A01228CFDB25EF34D9A4BA9B7B2FB49304F1091E9D90967398DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF57A1 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46cac52d46f3f54a835d2b631f1cf8323d1681e5c1b1d3e16ad11c8c5de323c
Instruction ID: 6cda44a953581ac6b80be89e06c4b3b932d0ebc912950c667c25ad5e407a7b5c
Opcode Fuzzy Hash: e46cac52d46f3f54a835d2b631f1cf8323d1681e5c1b1d3e16ad11c8c5de323c
Instruction Fuzzy Hash: 05A22974A01228CFDB25EF30D9A4BA9B7B2FB49304F1051E9D909673A8DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5918 Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0df92a328f7ebe5fb035d0cbb527acdbddda6ba21bbce8fea7ac10884052871
Instruction ID: 25b7559d6875e845551b596fc1737c41f1e6da679a27a678a95c146c3c19ed37
Opcode Fuzzy Hash: b0df92a328f7ebe5fb035d0cbb527acdbddda6ba21bbce8fea7ac10884052871
Instruction Fuzzy Hash: 2E922A74A01228CFDB25EF34D9A4BA9B7B2FB49304F1091E9D90967399DB359E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5A8F Relevance: .8, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1e907b6feac858b16a7452a8ce0de6c14ae28ff6df4619924250455be70d3f
Instruction ID: 50813459e738170eb983d5f20c7068c1af035f07eb79e33143cee9549eb48d13
Opcode Fuzzy Hash: 5f1e907b6feac858b16a7452a8ce0de6c14ae28ff6df4619924250455be70d3f
Instruction Fuzzy Hash: EE921B74A01228CFDB25EF34D9A4BA9B7B2FB49304F1051E9D909A7399DB359E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5C06 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbb61685bad9ec3eddf5a9e18d7032efb8f2359ffa3de6a67ffd5631c1c8b7e
Instruction ID: fa6b7f1fb2509f2770523baf241f822a2dd7fb466482db5d363fb9f003ec6fdf
Opcode Fuzzy Hash: ffbb61685bad9ec3eddf5a9e18d7032efb8f2359ffa3de6a67ffd5631c1c8b7e
Instruction Fuzzy Hash: BC821A74A01228CFDB25EF34D994BA9B7B2FB49304F1091E9D909A7399DB359E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5D7D Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac1f79f219412d535bb54b06e8bd6b0b9b56458841145bf8303fb3760773849
Instruction ID: 8a67a68694ec9d1d24c15ab3d50d6b32940b1b01bd6e9c5284ce88849f088bed
Opcode Fuzzy Hash: 2ac1f79f219412d535bb54b06e8bd6b0b9b56458841145bf8303fb3760773849
Instruction Fuzzy Hash: 2B721874A01228CFDB25EF34D994BA9B7B2FB49304F1091E9D909A7399DB359E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5EF4 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f254fbfa9f99ce71accf7e113f89db6e394e11816da65ff342fe4170175da00c
Instruction ID: 709c40d61bcd91a387eae418dda45d3d0f7b2b095cb934513ac4c2fae966128f
Opcode Fuzzy Hash: f254fbfa9f99ce71accf7e113f89db6e394e11816da65ff342fe4170175da00c
Instruction Fuzzy Hash: 2C620874A01228CFDB25EF34D994BA9B7B2FB49304F1091E9D909A7399CB359E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF61E2 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fe8b39d3206d73a5da7f44e5027d065fd6ae2ddfa0dd8ae2cd34f385045d12
Instruction ID: 58dddcd76e61cb5003864cb621f861c8a81d55964f3c6d43621a10eec0a6c24a
Opcode Fuzzy Hash: 38fe8b39d3206d73a5da7f44e5027d065fd6ae2ddfa0dd8ae2cd34f385045d12
Instruction Fuzzy Hash: 38420774A01228CFDB25EF34D994BA9B7B1FB49304F1091EAD909A7398DB359E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF36AA Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018bcc96ad482b64939a3d0a252d941db7cd94b0b2d31cb57470c8afef9b23d2
Instruction ID: 67c2e7c9305f2cc6ea6f28ceb89ca5f0e0cb8de7dc0a20ea4c84d54bfb87199a
Opcode Fuzzy Hash: 018bcc96ad482b64939a3d0a252d941db7cd94b0b2d31cb57470c8afef9b23d2
Instruction Fuzzy Hash: 5C322674A01218CFDB24EF74D855BADB7F2EB49308F1045A9D509AB398DB399E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF6483 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd967628c8a04087ea02cea6816df78ca8bc50fa17f3d477ed3d3bf66d131d0
Instruction ID: 5844f822d6bc2ef7854ba22da956d0ecbc9cb8ca57936ea90e14739f94cb19b1
Opcode Fuzzy Hash: 3dd967628c8a04087ea02cea6816df78ca8bc50fa17f3d477ed3d3bf66d131d0
Instruction Fuzzy Hash: FD220674A01228CFDB25EF24D994BA9B7F5FB49304F1081EAD909A7399CB359E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF67A9 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53585ad8a773b08c3a186f58dfa870e6107125aea2c3f519bdd36156783417ed
Instruction ID: afee56b09233ed6b2a1162af926aa1cf325d65f041d87c56fed9e12761ee794d
Opcode Fuzzy Hash: 53585ad8a773b08c3a186f58dfa870e6107125aea2c3f519bdd36156783417ed
Instruction Fuzzy Hash: F9020774A01228CFDB25EF34D895BA9B7B2FB49304F1051EAD909A7399DB359E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF8F80 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79c689a2c48f35cacbfbbfa472a65f173dd1dbe120fe16268519d6655e4633b
Instruction ID: b013dd8b0a4feee3c937a74bca85213070a0bd5b908ecc971e203beb01a1e5cf
Opcode Fuzzy Hash: b79c689a2c48f35cacbfbbfa472a65f173dd1dbe120fe16268519d6655e4633b
Instruction Fuzzy Hash: 32D16C35A01208DFCB19EFB5E451A6E77B2EF89348B208429D512977ACDF399C05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF7520 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041f2169896d3844250f664b41b461a69de28c4371a5e9f4ea59705364d46551
Instruction ID: 9a50f2b0b1551776bb54fa6b1994d4e55c3e875a964cdc94a910e369f15f4977
Opcode Fuzzy Hash: 041f2169896d3844250f664b41b461a69de28c4371a5e9f4ea59705364d46551
Instruction Fuzzy Hash: DBA1EE30659204CFD724EB3AD944BA932E2EB85394F2446E8D601DB3E9DF79DC49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF690A Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1758d8eda46187aef8fe031b06c22b0b18e3b4945dcd308bf2c82d6c208721fc
Instruction ID: 8984a76f381ba98579ba52d5568927bc2f7131ede1801609c225e11d014f0310
Opcode Fuzzy Hash: 1758d8eda46187aef8fe031b06c22b0b18e3b4945dcd308bf2c82d6c208721fc
Instruction Fuzzy Hash: C9D12974A01228CFDB25EF34D895BA9B7B1EB49304F1041EAD909A7398CB359E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF9085 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5604f808276624ee5f0a7f5b45d419a8b0bf6ca139b31f7f724c033bd0cc65c5
Instruction ID: 5159c12def8ad1b7c30248577a59e87d464112591f3c4b4ae29ba6d520dc7201
Opcode Fuzzy Hash: 5604f808276624ee5f0a7f5b45d419a8b0bf6ca139b31f7f724c033bd0cc65c5
Instruction Fuzzy Hash: 62915B35A01204EFCB19EF75E451A6E77B2EF88348B608429E516977ACDF3A9C05CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00BF90E3 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf4ad8c48825af164886a1352f74f9e355438f183041c6b87f5922f15f9ad7f
Instruction ID: cc5ec8c1d9c3b370bb272f458000d497f00581092a7552b6b7ee25995b68e670
Opcode Fuzzy Hash: fdf4ad8c48825af164886a1352f74f9e355438f183041c6b87f5922f15f9ad7f
Instruction Fuzzy Hash: 42915B35A01204EFCB19EF75E451A6E73B2EF88348B608429E516977ACDF3A9C05CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00BF9133 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfe6630f86fedce37fd14e65bf01a973d67f9a8eeca9dd870195b8a1a9ef6f6
Instruction ID: 06d70aafab4c5f8e320b0bc131b735528f7e3ffe0a3119e933f0553637f53e70
Opcode Fuzzy Hash: 8bfe6630f86fedce37fd14e65bf01a973d67f9a8eeca9dd870195b8a1a9ef6f6
Instruction Fuzzy Hash: 0E816B35A01204EFCB19EF75E451A6E73B2EF89348B608529E516977ACCF3A9C05CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00BF91B5 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2764d323d432ee6cc54c4c8a5aa1ee1e6df566c85e523dcb5f738918a6dde19a
Instruction ID: f8f3ec6315b24370b4e0bee46da9bd2b9a77c400160d66f76f8b2685155a756d
Opcode Fuzzy Hash: 2764d323d432ee6cc54c4c8a5aa1ee1e6df566c85e523dcb5f738918a6dde19a
Instruction Fuzzy Hash: 79715B35A01204DFCB19AB76E451A6E73B2EF89348B60856DD906977ACDF3A9C05CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00BF7310 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459bff0dba57e9b2f47c4fb8ece8f9463ec2482c98dd833bde201b17ccba9d7a
Instruction ID: 7b024b4a47f698a4974e6dd86148faf0ec76fd08366811c9d17902d9631170f1
Opcode Fuzzy Hash: 459bff0dba57e9b2f47c4fb8ece8f9463ec2482c98dd833bde201b17ccba9d7a
Instruction Fuzzy Hash: B951DF30B002548FCB15EB79D455AAE7BF2AF89308F2441B9C506EB359DB3A8806CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00BF7511 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cd002c1e3601c196b5d8dace7b40720c720b080d4726b510376f1fdca0443d
Instruction ID: 7a0b491eb9fe9e49eb33d244bb75c90f88989ac7d6b5c157aaf17bb2ffa36257
Opcode Fuzzy Hash: 75cd002c1e3601c196b5d8dace7b40720c720b080d4726b510376f1fdca0443d
Instruction Fuzzy Hash: 01512430609205EFE724DB3AD8047B937E2EB45390F2885E4D601DB2E5EF34D94ACB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BF92A5 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19258e8a195a134f016600e42844865b094e6b77fbe928b7beb6a41d4ad4fcaa
Instruction ID: 5e2d9cedc1168f5becc5773a009dcfe8681b7cf54080861416a071ba63016212
Opcode Fuzzy Hash: 19258e8a195a134f016600e42844865b094e6b77fbe928b7beb6a41d4ad4fcaa
Instruction Fuzzy Hash: 65516F34A00214DFCB29AB79E85176E73E2EF85348F208569D916977ACCF399C11CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF78FE Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc67bc5c0ea9ee81b5e75a3c961cb9a5889df79afb65709809b5b891f6ea9dc4
Instruction ID: c60f90dbef9d9fba12227b4f30b1828f2b4d4164dc170c68986084322974748d
Opcode Fuzzy Hash: fc67bc5c0ea9ee81b5e75a3c961cb9a5889df79afb65709809b5b891f6ea9dc4
Instruction Fuzzy Hash: C2410230649605DFDB24EB3A98057B833E2EB45394F2885E8D501DB2E5DF78CE4ADB20

Uniqueness

Uniqueness Score: -1.00%

Function 00BF39C0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db51f6e329b45ebd607ec92fe4982bf5661a59c772f5c72b95eaa8e10fbf6109
Instruction ID: 7e1afba4981612c8678c7234016e995a25416086e0db02d3fcd17c2f74e67e07
Opcode Fuzzy Hash: db51f6e329b45ebd607ec92fe4982bf5661a59c772f5c72b95eaa8e10fbf6109
Instruction Fuzzy Hash: D5415A30A01218CFDB24EBB9D951BECB7F2EF45308F1045A9D109AB295DB795E88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BF02C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf86dffda26e9b9312735745e092dcaf87e130e407b11443ddc4b08616fcc98
Instruction ID: dfc11bb998ab1abf6fc35161e9288218e828c02daea3b7785284f91559ee1c80
Opcode Fuzzy Hash: 1bf86dffda26e9b9312735745e092dcaf87e130e407b11443ddc4b08616fcc98
Instruction Fuzzy Hash: 7031BF31B102049FC714BB7AD812BBE32A7EF88208F1044799506D7BA9DF3D9D0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BF9880 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aca7b0de5e3d437d63de9f6bb63f9722ea99e39815c78e638d07d076e1d2c70
Instruction ID: ceb6bb566c0e307fb2074c3e8a501d96ccb59b9f2f8c3951dd9b8fbafac475b8
Opcode Fuzzy Hash: 5aca7b0de5e3d437d63de9f6bb63f9722ea99e39815c78e638d07d076e1d2c70
Instruction Fuzzy Hash: 8C31A230B002099FDB14DF79D855BAEBBE6EF88344F2480B9D505AB3A4DB759D09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF00B8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c774cf01bd8b8afeba4be62ff9d4990610ff0805a0b1c73ba481d6a520d49295
Instruction ID: d2cf4453bd8a0fa76f687a29618df370b6c82201d62799421dff9fa759e85b64
Opcode Fuzzy Hash: c774cf01bd8b8afeba4be62ff9d4990610ff0805a0b1c73ba481d6a520d49295
Instruction Fuzzy Hash: 8131D3316083549FD715E778A822BAE3BA79BC2354F1485BDD101CB2D6CF794C06C792

Uniqueness

Uniqueness Score: -1.00%

Function 00C008CB Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103042484.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9a5afc2bdb35cdbd09aee911609fc6a795eef013b5ac97fa6c9eb7dd060740
Instruction ID: dc43ec7f9880ad9cf9037221d5e8bad41a2cb756bccab8ba6b20a17276432243
Opcode Fuzzy Hash: 0c9a5afc2bdb35cdbd09aee911609fc6a795eef013b5ac97fa6c9eb7dd060740
Instruction Fuzzy Hash: 0B21593510D7C18FD717CB24C950B54BFB1AB47218F2A86DED4848F6E3C23A8906DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BF0118 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d5a77847f1e986ed883a31cb2155a08c1e7e2abdc4a354a598563967c0f64b
Instruction ID: 55d41dabe19343643063713c11b9c81c62633d6babee0af56f6d13a0e6580ab5
Opcode Fuzzy Hash: f1d5a77847f1e986ed883a31cb2155a08c1e7e2abdc4a354a598563967c0f64b
Instruction Fuzzy Hash: CA11C2317082508FC325F77DA4226AD27D79BC6398724597DD001CB796CFAE8C0A87D2

Uniqueness

Uniqueness Score: -1.00%

Function 00C00904 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103042484.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44abb72b729c5986246ef7f54a693858230a4c1b7d72e4f547e0f509e5236919
Instruction ID: 9da66c3b301aef65137ca62efd61705d2cd477ce500b9bf22d812f7d4300abbb
Opcode Fuzzy Hash: 44abb72b729c5986246ef7f54a693858230a4c1b7d72e4f547e0f509e5236919
Instruction Fuzzy Hash: DC11B130204284DFE715CB14D980B66F7A5AB89718F34C9ACE9491BB93C77BD903CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00BF959F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bc81b67c27c1ccf21c1cb7447d76295d7406b6ea75a46db1e3f99e5bffd890
Instruction ID: 69a41832617b85c41447209ae7db8566398d8e3bb00d06e742e211572ccb215d
Opcode Fuzzy Hash: b1bc81b67c27c1ccf21c1cb7447d76295d7406b6ea75a46db1e3f99e5bffd890
Instruction Fuzzy Hash: 4311AC71A002148F8F54EBB8A8155EE77F6EB8F344B20457DC909E7788DB398D02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF0006 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157411a2b8b876dc043b3fa05574b4bce1f724a2c4ae602fe4f6f34eb6530e94
Instruction ID: 4cb33244dbf69f24d3bd952254252ccacfbddc1731bde4d41a0418579b3df05f
Opcode Fuzzy Hash: 157411a2b8b876dc043b3fa05574b4bce1f724a2c4ae602fe4f6f34eb6530e94
Instruction Fuzzy Hash: 27119D9244E3C29FC31383305C34680BF702A53205B4E86DBD491CA2ABE25C2919D363

Uniqueness

Uniqueness Score: -1.00%

Function 00C005E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103042484.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf27a8bc510404908f4ea1ba8b79b3f2f28297ee68a615fc9814409cf70022f
Instruction ID: 8a8d52fb13753ba80ec074afcee5d1bf6ed14b1726cae17bd98f28b401dc95f0
Opcode Fuzzy Hash: 0bf27a8bc510404908f4ea1ba8b79b3f2f28297ee68a615fc9814409cf70022f
Instruction Fuzzy Hash: EC0186B65093806FD7128F169C41866FFA8DB86620709C4AFEC498B652D265A909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BF3B0E Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998a95d8cbf8327df8680864f03040c1b82a9e339205a8b863a8dd604d6521a5
Instruction ID: fad717c0e39d93aa972f050968c4982c387a66ffc60f67bc487e16a6466b3d98
Opcode Fuzzy Hash: 998a95d8cbf8327df8680864f03040c1b82a9e339205a8b863a8dd604d6521a5
Instruction Fuzzy Hash: 9D111C74E05118CFEB24EBB8D9617ACB7F1AB48304F5041AAD519A7282DB390A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00BF01E1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd70349dce9741af60bbf87c634d44a7cdf3270e6a23165f8260abcdc0c761e
Instruction ID: f6928e50c3de32133001bea7f1d977b7f06887fea546aabea5c5c14b5aa1d462
Opcode Fuzzy Hash: ccd70349dce9741af60bbf87c634d44a7cdf3270e6a23165f8260abcdc0c761e
Instruction Fuzzy Hash: 4401923060A242CFCB10FB78E648ADC7BE1EFC9358B05886CE4458B75ADB799845DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00BF00A8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4055fb330a7a4c648e6b61b9caf3846e97bd6197de116dfa60cfa67f88eaf67
Instruction ID: 07712406fc0fd1148f487d00e0874ec7d8384d597f8064932f8b919e31eecb86
Opcode Fuzzy Hash: b4055fb330a7a4c648e6b61b9caf3846e97bd6197de116dfa60cfa67f88eaf67
Instruction Fuzzy Hash: 87F09672A403149FEB14DB709813BAE7B72EF81714F1085AEE2459B1D5EA355941C780

Uniqueness

Uniqueness Score: -1.00%

Function 00BF41E1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3902ad6b25a165912bfa42b5584efb922bedcfaa1051a18e71c51b1d36ecbdf8
Instruction ID: e6efbdaf3d04b6df491059272728360c806af9c90ae82fad0b8fbd1ce7f9e3d5
Opcode Fuzzy Hash: 3902ad6b25a165912bfa42b5584efb922bedcfaa1051a18e71c51b1d36ecbdf8
Instruction Fuzzy Hash: 36F01720A5E3C05FC707CB345C604997FB19E4321871A46EBC485CB6A3D5290A0AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00C009C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103042484.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4280bab020fe13ced9069026e0efe0e9e5a243a94884462047c531553b3c09eb
Instruction ID: 8e2e15e7a3d3598feb70126c67a84cb459c1f623ae18907ad6fbb30c398a0207
Opcode Fuzzy Hash: 4280bab020fe13ced9069026e0efe0e9e5a243a94884462047c531553b3c09eb
Instruction Fuzzy Hash: 2DF01935108644DFC316CF00D980B25FBA2FB89718F24CAADE9490BB62C737E913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00C00606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103042484.0000000000C00000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c00000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09143516398c4f6acce0c321383adcd70ccaeec0dc9881f7fcc91881f07302e
Instruction ID: 2b03f566037087d0ec87e46fd67246a53a9a814235e3d1bb5d940911d600f6a2
Opcode Fuzzy Hash: a09143516398c4f6acce0c321383adcd70ccaeec0dc9881f7fcc91881f07302e
Instruction Fuzzy Hash: 9EE092B66006009BD650DF0AEC41456F7D8EB88631B08C47FEC0D8B701E276B509CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BF74B8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf65090e83693cec3f9b5ba513891cb207614e1dd7f13bafc9473bc91f09181
Instruction ID: 4f2f0c2b4e0cd0b7fb34e222fec357b5f30730236ce277e8e1f323166a66b5c5
Opcode Fuzzy Hash: 5cf65090e83693cec3f9b5ba513891cb207614e1dd7f13bafc9473bc91f09181
Instruction Fuzzy Hash: 68E04FB1D0021D9F8F40EFBE99455EFBFF8EA48254B10047AC208E3200E7394201CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00BF40A8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fdf07c5abf9cb90b35809ce295dfbefab5b6b7ad789460d6c4fcaf24c80f56
Instruction ID: 0006dbaf2ab80c1a62d9c7c68a2f3afe22aa1da7cde403b220825ddd138311f8
Opcode Fuzzy Hash: b6fdf07c5abf9cb90b35809ce295dfbefab5b6b7ad789460d6c4fcaf24c80f56
Instruction Fuzzy Hash: 92E08C3015A790CFC71A6B34646588C3B72AF8630835904BEC0468FBA7D63AC447CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BF4210 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4103023942.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74ba5b030c761a60f0113d4b2ef02ebbd1be8af44c63dace1925c75f97b4167
Instruction ID: 1b3801d43d5ea1ebc0a764e68fe05f2fe1fa58d6009b549fa0290426ecc36e24
Opcode Fuzzy Hash: c74ba5b030c761a60f0113d4b2ef02ebbd1be8af44c63dace1925c75f97b4167
Instruction Fuzzy Hash: 91D0C971A15208EF8B44DFA8DD0189DBBF9EB45215B1041EAA809D3750EE325F04EB81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JawnEmT6S2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Umbrella.flv.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JawnEmT6S2.exe.log

C:\Users\user\AppData\Local\Temp\server.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epic Games.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bd45e682ad8a06dcb9168f1be41d3129Epic Games.exe

C:\Users\user\AppData\Roaming\app

C:\autorun.inf

\Device\ConDrv

Static File Info

General

File Icon

Windows Analysis Report
JawnEmT6S2.exe

Function 04CD4298 Relevance: 4.4, Strings: 2, Instructions: 1950
COMMON

Function 04CD428F Relevance: 4.2, Strings: 2, Instructions: 1746
COMMON

Function 04CD3449 Relevance: 5.0, Strings: 4, Instructions: 39
COMMON

Function 00BFAA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 00BFB036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Function 00BFA6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Function 00BFAE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Function 00BFAAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 00BFA9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 00BFAC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 00BFB06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Function 00BFAB7C Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 00BFA61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Function 00BFA573 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 00BFAEAE Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON