Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Server1.exe

Overview

General Information

Sample name:Server1.exe
Analysis ID:1575627
MD5:71b3810a22e1b51e8b88cd63b5e23ba0
SHA1:7ac4ab80301dcabcc97ec68093ed775d148946de
SHA256:57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f
Tags:exeNjRATuser-lontze7
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables zone checking for all users
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Server1.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\Server1.exe" MD5: 71B3810A22E1B51E8B88CD63B5E23BA0)
    • netsh.exe (PID: 7388 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\Server1.exe" "Server1.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "f41ac0c2ea25f3f8b0a75a7371d6b015", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Server1.exeJoeSecurity_NjratYara detected NjratJoe Security
    Server1.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a4f:$a2: SEE_MASK_NOZONECHECKS
    • 0x156f1:$a3: Download ERROR
    • 0x15ca1:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c2e:$a5: netsh firewall delete allowedprogram "
    Server1.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15ca1:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x137ba:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x1570f:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156f1:$s6: Download ERROR
    • 0x1377c:$s8: Select * From AntiVirusProduct
    Server1.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a4f:$reg: SEE_MASK_NOZONECHECKS
    • 0x156d5:$msg: Execute ERROR
    • 0x15729:$msg: Execute ERROR
    • 0x15ca1:$ping: cmd.exe /c ping 0 -n 2 & del
    Server1.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c2e:$s1: netsh firewall delete allowedprogram
    • 0x13c80:$s2: netsh firewall add allowedprogram
    • 0x15ca1:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156d5:$s4: Execute ERROR
    • 0x15729:$s4: Execute ERROR
    • 0x156f1:$s5: Download ERROR

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x113d2:$a1: get_Registry
      • 0x1584f:$a2: SEE_MASK_NOZONECHECKS
      • 0x154f1:$a3: Download ERROR
      • 0x15aa1:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13a2e:$a5: netsh firewall delete allowedprogram "
      00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x1584f:$reg: SEE_MASK_NOZONECHECKS
      • 0x154d5:$msg: Execute ERROR
      • 0x15529:$msg: Execute ERROR
      • 0x15aa1:$ping: cmd.exe /c ping 0 -n 2 & del
      00000005.00000002.3710332991.0000000002F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        Process Memory Space: Server1.exe PID: 6388JoeSecurity_NjratYara detected NjratJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.0.Server1.exe.980000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            5.0.Server1.exe.980000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x115d2:$a1: get_Registry
            • 0x15a4f:$a2: SEE_MASK_NOZONECHECKS
            • 0x156f1:$a3: Download ERROR
            • 0x15ca1:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13c2e:$a5: netsh firewall delete allowedprogram "
            5.0.Server1.exe.980000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x15ca1:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x137ba:$s1: winmgmts:\\.\root\SecurityCenter2
            • 0x1570f:$s3: Executed As
            • 0x124f0:$s5: Stub.exe
            • 0x156f1:$s6: Download ERROR
            • 0x1377c:$s8: Select * From AntiVirusProduct
            5.0.Server1.exe.980000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15a4f:$reg: SEE_MASK_NOZONECHECKS
            • 0x156d5:$msg: Execute ERROR
            • 0x15729:$msg: Execute ERROR
            • 0x15ca1:$ping: cmd.exe /c ping 0 -n 2 & del
            5.0.Server1.exe.980000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x13c2e:$s1: netsh firewall delete allowedprogram
            • 0x13c80:$s2: netsh firewall add allowedprogram
            • 0x15ca1:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
            • 0x156d5:$s4: Execute ERROR
            • 0x15729:$s4: Execute ERROR
            • 0x156f1:$s5: Download ERROR

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T07:23:58.698019+010020211761Malware Command and Control Activity Detected192.168.2.749701147.185.221.1730620TCP
            2024-12-16T07:24:22.650603+010020211761Malware Command and Control Activity Detected192.168.2.749751147.185.221.1730620TCP
            2024-12-16T07:24:46.687454+010020211761Malware Command and Control Activity Detected192.168.2.749803147.185.221.1730620TCP
            2024-12-16T07:25:10.750212+010020211761Malware Command and Control Activity Detected192.168.2.749859147.185.221.1730620TCP
            2024-12-16T07:25:34.794300+010020211761Malware Command and Control Activity Detected192.168.2.749912147.185.221.1730620TCP
            2024-12-16T07:25:58.829680+010020211761Malware Command and Control Activity Detected192.168.2.749965147.185.221.1730620TCP
            2024-12-16T07:26:23.028794+010020211761Malware Command and Control Activity Detected192.168.2.749978147.185.221.1730620TCP
            2024-12-16T07:26:47.155397+010020211761Malware Command and Control Activity Detected192.168.2.749979147.185.221.1730620TCP
            2024-12-16T07:27:11.200852+010020211761Malware Command and Control Activity Detected192.168.2.749980147.185.221.1730620TCP
            2024-12-16T07:27:35.232085+010020211761Malware Command and Control Activity Detected192.168.2.749981147.185.221.1730620TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T07:23:58.698019+010020331321Malware Command and Control Activity Detected192.168.2.749701147.185.221.1730620TCP
            2024-12-16T07:24:22.650603+010020331321Malware Command and Control Activity Detected192.168.2.749751147.185.221.1730620TCP
            2024-12-16T07:24:46.687454+010020331321Malware Command and Control Activity Detected192.168.2.749803147.185.221.1730620TCP
            2024-12-16T07:25:10.750212+010020331321Malware Command and Control Activity Detected192.168.2.749859147.185.221.1730620TCP
            2024-12-16T07:25:34.794300+010020331321Malware Command and Control Activity Detected192.168.2.749912147.185.221.1730620TCP
            2024-12-16T07:25:58.829680+010020331321Malware Command and Control Activity Detected192.168.2.749965147.185.221.1730620TCP
            2024-12-16T07:26:23.028794+010020331321Malware Command and Control Activity Detected192.168.2.749978147.185.221.1730620TCP
            2024-12-16T07:26:47.155397+010020331321Malware Command and Control Activity Detected192.168.2.749979147.185.221.1730620TCP
            2024-12-16T07:27:11.200852+010020331321Malware Command and Control Activity Detected192.168.2.749980147.185.221.1730620TCP
            2024-12-16T07:27:35.232085+010020331321Malware Command and Control Activity Detected192.168.2.749981147.185.221.1730620TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T07:24:04.876444+010028255641Malware Command and Control Activity Detected192.168.2.749701147.185.221.1730620TCP
            2024-12-16T07:24:47.828553+010028255641Malware Command and Control Activity Detected192.168.2.749803147.185.221.1730620TCP
            2024-12-16T07:26:27.000700+010028255641Malware Command and Control Activity Detected192.168.2.749978147.185.221.1730620TCP
            2024-12-16T07:26:49.016502+010028255641Malware Command and Control Activity Detected192.168.2.749979147.185.221.1730620TCP
            2024-12-16T07:27:41.446148+010028255641Malware Command and Control Activity Detected192.168.2.749981147.185.221.1730620TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Server1.exeAvira: detected
            Found malware configuration
            Source: 5.0.Server1.exe.980000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "f41ac0c2ea25f3f8b0a75a7371d6b015", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
            Multi AV Scanner detection for submitted file
            Source: Server1.exeReversingLabs: Detection: 86%
            Yara detected Njrat
            Source: Yara matchFile source: Server1.exe, type: SAMPLE
            Source: Yara matchFile source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3710332991.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server1.exe PID: 6388, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Server1.exeJoe Sandbox ML: detected
            Source: Server1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\Server1.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: Server1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Spreading

            barindex
            Contains functionality to spread to USB devices (.Net source)
            Source: Server1.exe, Usb1.cs.Net Code: infect
            Source: Server1.exe, 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: \autorun.inf
            Source: Server1.exe, 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: [autorun]
            Source: Server1.exe, 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: autorun.inf
            Source: Server1.exeBinary or memory string: \autorun.inf
            Source: Server1.exeBinary or memory string: [autorun]
            Source: Server1.exeBinary or memory string: autorun.inf

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49701 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49701 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.7:49701 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49751 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49751 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49803 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49803 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.7:49803 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49859 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49859 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49912 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49912 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49965 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49965 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49981 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49981 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49979 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49979 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.7:49981 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.7:49979 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49978 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.7:49980 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49978 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.7:49980 -> 147.185.221.17:30620
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.7:49978 -> 147.185.221.17:30620
            Source: global trafficTCP traffic: 192.168.2.7:49701 -> 147.185.221.17:30620
            Source: Joe Sandbox ViewIP Address: 147.185.221.17 147.185.221.17
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: exchange-reasonably.gl.at.ply.gg
            Source: Server1.exe, 00000005.00000002.3709532390.0000000000F19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
            Source: Server1.exe, 00000005.00000002.3709532390.0000000000F19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
            Source: C:\Users\user\Desktop\Server1.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: Server1.exe, type: SAMPLE
            Source: Yara matchFile source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3710332991.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server1.exe PID: 6388, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Server1.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: Server1.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: Server1.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: Server1.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\Server1.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_01182BD15_2_01182BD1
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051542985_2_05154298
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051550005_2_05155000
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_0515470F5_2_0515470F
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051549365_2_05154936
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051546305_2_05154630
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_05154F2F5_2_05154F2F
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_0515505D5_2_0515505D
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051554595_2_05155459
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_05154B5B5_2_05154B5B
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051545445_2_05154544
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_0515536F5_2_0515536F
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_0515499D5_2_0515499D
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_05154F9D5_2_05154F9D
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051542875_2_05154287
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_05154C8F5_2_05154C8F
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051547D45_2_051547D4
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051544F15_2_051544F1
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051549F95_2_051549F9
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_051550E35_2_051550E3
            Source: Server1.exe, 00000005.00000002.3709532390.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Server1.exe
            Source: Server1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Server1.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: Server1.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Server1.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: Server1.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: classification engineClassification label: mal100.spre.phis.troj.evad.winEXE@4/2@1/1
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_052C24BE AdjustTokenPrivileges,5_2_052C24BE
            Source: C:\Users\user\Desktop\Server1.exeCode function: 5_2_052C2487 AdjustTokenPrivileges,5_2_052C2487
            Source: C:\Users\user\Desktop\Server1.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeMutant created: \Sessions\1\BaseNamedObjects\f41ac0c2ea25f3f8b0a75a7371d6b015
            Source: C:\Users\user\Desktop\Server1.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
            Source: C:\Users\user\Desktop\Server1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\Server1.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
            Source: Server1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Server1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Server1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Server1.exeReversingLabs: Detection: 86%
            Source: unknownProcess created: C:\Users\user\Desktop\Server1.exe "C:\Users\user\Desktop\Server1.exe"
            Source: C:\Users\user\Desktop\Server1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server1.exe" "Server1.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Server1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server1.exe" "Server1.exe" ENABLEJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: Server1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\Server1.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: Server1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: Server1.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeMemory allocated: 4F90000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeWindow / User API: threadDelayed 917Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exeWindow / User API: threadDelayed 5448Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exeWindow / User API: threadDelayed 3020Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exeWindow / User API: foregroundWindowGot 774Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exeWindow / User API: foregroundWindowGot 774Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exe TID: 6012Thread sleep count: 917 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exe TID: 6012Thread sleep time: -91700s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server1.exe TID: 7096Thread sleep count: 5448 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exe TID: 7096Thread sleep time: -5448000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server1.exe TID: 7096Thread sleep count: 3020 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server1.exe TID: 7096Thread sleep time: -3020000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: Server1.exe, 00000005.00000002.3709532390.0000000000F19000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.1315148518.0000000001341000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Server1.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeMemory allocated: page read and write | page guardJump to behavior
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:50:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:04:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:35:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/25 | 20:39:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 20:47:00 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 00:49:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:25:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:14:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:48:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:29:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:58:26 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:43:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:35:47 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 03:29:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:37:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:45:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:06:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:35:56 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:00:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:20:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:37:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:14:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:22:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:15:53 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:19:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 22:52:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:34:26 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:50:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:20:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:07:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:05:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:09:14 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:12:28 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:59:56 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 11:55:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/28 | 00:35:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:55:40 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:58:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 08:11:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:26:22 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 11:34:12 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:47:46 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:01:39 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:49:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:41:09 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:39:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:36:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:02:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:09:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:52:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 22:07:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 10:59:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:47:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:31:40 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:10:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 08:06:16 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:58:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:57:05 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:38:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 16:42:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/25 | 20:44:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 18:24:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:22:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 19:03:41 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:43:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:32:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 22:21:54 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/28 | 00:41:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 02:30:56 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/25 | 20:45:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:26:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 16:54:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 15:40:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:59:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:54:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:49:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:59:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:56:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 11:54:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:31:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:33:25 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:04:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:39:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:41:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:15:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 16:29:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:49:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:20:14 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:03:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:18:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 16:17:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 04:45:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:47:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 22:43:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:59:16 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:38:58 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:30:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:14:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:32:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/28 | 00:14:56 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:30:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:24:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:13:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:38:12 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:39:22 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:41:26 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:40:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:05:28 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 16:28:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 16:01:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:21:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:02:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 22:06:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:32:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:00:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:34:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 05:27:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 22:54:40 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:43:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 15:50:55 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 12:17:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:16:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:41:44 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 22:38:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/28 | 00:16:40 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:24:47 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:53:28 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:53:45 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:48:00 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:38:41 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 21:24:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:03:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:50:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:13:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 20:47:39 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:59:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:11:00 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:15:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:19:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 16:48:16 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:49:47 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:28:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:23:54 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:52:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:33:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:39:05 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:42:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 10:52:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:37:40 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:23:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 18:58:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 15:58:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 02:31:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:47:09 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 23:58:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 07:12:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:56:41 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:11:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:27:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:26:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 02:40:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:01:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:43:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:01:41 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:01:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:44:14 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:53:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:42:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 08:00:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/23 | 17:09:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:52:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:20:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:12:30 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:37:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:41:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:37:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:04:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:38:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/23 | 16:59:46 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 16:46:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:39:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:57:22 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:00:09 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:20:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:30:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:14:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:07:12 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:36:28 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:44:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:26:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 00:11:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 21:29:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:05:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/19 | 07:33:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:36:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 23:36:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:22:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:34:55 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:31:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 16:42:45 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:52:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:57:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:29:25 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:48:39 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:00:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 07:35:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:00:58 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:19:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:05:17 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:12:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:10:46 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 03:46:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:11:09 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 18:04:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:20:05 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:02:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:51:26 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 17:30:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 23:39:55 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:36:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:11:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:05:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/23 | 16:48:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:28:44 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:38:03 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:58:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 21:44:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 22:28:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:06:58 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 22:37:03 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:08:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:00:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 08:53:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:52:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:31:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:45:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:42:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 20:38:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 14:58:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:53:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/19 | 07:31:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 16:29:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:59:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/25 | 20:38:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:05:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 23:53:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:03:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:40:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:38:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:28:14 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:16:55 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:32:53 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:11:39 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 14:24:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:54:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:33:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:02:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:08:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 02:32:12 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:52:56 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:01:30 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:39:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.00000000032C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:02:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:18:47 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:53:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 04:46:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 12:25:16 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:45:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:32:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 12:03:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:40:16 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:44:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:32:03 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:33:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:07:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:26:05 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:09:22 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:10:05 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 16:47:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 02:26:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:03:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:17:26 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:57:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:06:47 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:24:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 02:52:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:13:30 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:04:16 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:26:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 07:36:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 12:49:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:36:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:52:47 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:05:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:18:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:28:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:59:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:56:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:44:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:01:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/23 | 17:00:30 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:17:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:12:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:28:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:48:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 22:24:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 12:46:39 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:54:08 - Program Manager
            Source: Server1.exeBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:28:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:39:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:46:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:29:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:02:41 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 02:38:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:47:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 15:51:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:20:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/23 | 16:02:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:58:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 05:43:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:34:54 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:40:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 22:17:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:42:09 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:26:30 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:13:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 11:42:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:31:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 18:08:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:26:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:14:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:17:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:27:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:15:54 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 09:06:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:45:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:49:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:22:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 02:11:55 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:01:00 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 10:49:55 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:20:23 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:53:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:24:51 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:42:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:19:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:22:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:54:28 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:59:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 09:01:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:28:45 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 01:36:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/28 | 00:41:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:41:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 12:37:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:50:25 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:32:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 14:22:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:42:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 17:19:53 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:27:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:43:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:57:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:46:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:53:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 11:57:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:59:45 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:25:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 08:58:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:16:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:19:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:38:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:43:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 21:49:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:34:14 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:27:14 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 21:06:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:56:12 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:10:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:18:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:19:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 23:03:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 15:30:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:03:35 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:28:52 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 16:47:45 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:48:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:07:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 05:44:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:34:47 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:05:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 12:01:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:35:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 15:39:41 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 02:02:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 08:57:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:56:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:00:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 17:25:37 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/23 | 16:22:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 16:35:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:14:03 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 20:09:15 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 15:07:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:55:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 09:06:45 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 18:59:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:02:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:33:56 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:22:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 09:18:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:18:44 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:27:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:44:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:15:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 15:59:57 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:52:19 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 19:38:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:23:28 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:01:33 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 20:39:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 17:03:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:45:53 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 00:49:55 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:37:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 14:32:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:09:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 21:12:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 09:17:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:30:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 19:56:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:55:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:33:21 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:17:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:29:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 21:41:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:47:45 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:08:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 18:08:29 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 03:43:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:33:26 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:55:49 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:57:30 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 18:32:48 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:22:07 - Program Manager
            Source: Server1.exe, 00000005.00000002.3710332991.00000000031E3000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Server1.exe, 00000005.00000002.3710332991.0000000003387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 15:53:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:41:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:30:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:36:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:07:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 05:28:40 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:15:24 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:36:01 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:26:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:04:53 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 12:40:30 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:06:17 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 12:16:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:56:22 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:54:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 13:23:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 17:36:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:32:40 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 12:54:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:26:13 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:11:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:52:44 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 13:28:25 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 19:27:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/16 | 21:42:14 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/30 | 06:48:26 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:51:05 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 12:52:11 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/28 | 01:13:18 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:56:42 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:49:39 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:01:58 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:34:17 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 08:10:38 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 15:31:17 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:45:36 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 16:24:59 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:32:20 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/01 | 12:40:09 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:23:08 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 06:30:31 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/21 | 12:35:34 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 07:50:32 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 03:57:04 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:34:27 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/08 | 14:31:12 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/03 | 22:25:02 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 03:53:56 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:57:50 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/12/17 | 00:53:43 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:58:06 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 04:35:10 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 05:10:25 - Program Manager
            Source: Server1.exe, 00000005.00000002.3711358659.0000000003F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/01/06 | 03:54:58 - Program Manager
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Server1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to disable the Task Manager (.Net Source)
            Source: Server1.exe, Fransesco.cs.Net Code: INS
            Disables zone checking for all users
            Source: C:\Users\user\Desktop\Server1.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\Desktop\Server1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server1.exe" "Server1.exe" ENABLE
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Users\user\Desktop\Server1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server1.exe" "Server1.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: Server1.exe, type: SAMPLE
            Source: Yara matchFile source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3710332991.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server1.exe PID: 6388, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: Server1.exe, type: SAMPLE
            Source: Yara matchFile source: 5.0.Server1.exe.980000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3710332991.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server1.exe PID: 6388, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure11
            Replication Through Removable Media            		Windows Management Instrumentation1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
            Process Injection            		2
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Disable or Modify Tools            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Access Token Manipulation            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Process Injection            		LSA Secrets1
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Server1.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            Server1.exe100%AviraTR/Dropper.Gen
            Server1.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://go.microsoft.LinkId=421270%Avira URL Cloudsafe
            http://go.microsoft.0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            exchange-reasonably.gl.at.ply.gg
            		147.185.221.17
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://go.microsoft.Server1.exe, 00000005.00000002.3709532390.0000000000F19000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://go.microsoft.LinkId=42127Server1.exe, 00000005.00000002.3709532390.0000000000F19000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              147.185.221.17
              		exchange-reasonably.gl.at.ply.ggUnited States
              		12087SALSGIVERUStrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1575627
              Start date and time:2024-12-16 07:22:54 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 44s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:16
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Server1.exe
              Detection:MAL
              Classification:mal100.spre.phis.troj.evad.winEXE@4/2@1/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 119
              • Number of non-executed functions: 12
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: Server1.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              03:19:11API Interceptor526247x Sleep call for process: Server1.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              147.185.221.175q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                IWsK3V2Ul9.exeGet hashmaliciousArrowRATBrowse
                  SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exeGet hashmaliciousSheetRatBrowse
                    80c619d931fa4e5c89fe87aac0b6b143.exeGet hashmaliciousXWormBrowse
                      6ab092aeab924edb854b3ff21ea579df.exeGet hashmaliciousXWormBrowse
                        Hoodbyunlock.exeGet hashmaliciousXWormBrowse
                          x.exeGet hashmaliciousXWormBrowse
                            cougif6lqM.exeGet hashmaliciousDCRat, XWormBrowse
                              FUDE.bin.exeGet hashmaliciousXWormBrowse
                                system47.exeGet hashmaliciousXWormBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  SALSGIVERUSnjSilent.exeGet hashmaliciousNjratBrowse
                                  • 147.185.221.19
                                  Minet.exeGet hashmaliciousNjratBrowse
                                  • 147.185.221.22
                                  Discordd.exeGet hashmaliciousAsyncRATBrowse
                                  • 147.185.221.18
                                  Discord2.exeGet hashmaliciousAsyncRATBrowse
                                  • 147.185.221.18
                                  Discord3.exeGet hashmaliciousAsyncRATBrowse
                                  • 147.185.221.18
                                  Loader.exeGet hashmaliciousAsyncRATBrowse
                                  • 147.185.221.20
                                  72OWK7wBVH.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.24
                                  aZDwfEKorn.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.24
                                  HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.24
                                  7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.18

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Roaming\app

                                  Download File
                                  Process:C:\Users\user\Desktop\Server1.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                  Category:dropped
                                  Size (bytes):5
                                  Entropy (8bit):2.321928094887362
                                  Encrypted:false
                                  SSDEEP:3:1n:1
                                  MD5:02B81B0CBE1FAAA1FA62D5FC876AB443
                                  SHA1:D473CFE21FB1F188689415B0BDD239688F8FDDD9
                                  SHA-256:E7E9E2C247BC872BACCE77661C78F001A17D70EE3130A9016A5818DA9DA00CDB
                                  SHA-512:592AB5B200D4C560951CB70288DC1B7A562F0CBFAEE01CE03076B6934D537B88575C2E1E0FEDCC05DB95E6C224CA739923E7D74F9165E683F3FBAD7BBF641784
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:.16

                                  \Device\ConDrv

                                  Download File
                                  Process:C:\Windows\SysWOW64\netsh.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):313
                                  Entropy (8bit):4.971939296804078
                                  Encrypted:false
                                  SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                  MD5:689E2126A85BF55121488295EE068FA1
                                  SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                  SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                  SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.566845908613344
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:Server1.exe
                                  File size:95'232 bytes
                                  MD5:71b3810a22e1b51e8b88cd63b5e23ba0
                                  SHA1:7ac4ab80301dcabcc97ec68093ed775d148946de
                                  SHA256:57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f
                                  SHA512:85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8
                                  SSDEEP:1536:PUNJD/HBZbszKu9AZpE7r1jEwzGi1dDWDtgS:PUUzK4AZCHCi1dA6
                                  TLSH:7D93E94977E52524E0BF56F75471F2014E34B48B1612E39D58F219AA0B33AC48F8AFEB
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....be.................p............... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x418f1e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x656291C7 [Sun Nov 26 00:31:03 2023 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x18ed00x4b.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x16f240x17000c577ce6089fb21c8c7c8fb2b5f3c04a1False0.3683975883152174data5.598588890470676IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .reloc0x1a0000xc0x2009dc49a004fa3bd643fadc899ad4fdf5dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-12-16T07:23:58.698019+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749701147.185.221.1730620TCP
                                  2024-12-16T07:23:58.698019+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749701147.185.221.1730620TCP
                                  2024-12-16T07:24:04.876444+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.749701147.185.221.1730620TCP
                                  2024-12-16T07:24:22.650603+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749751147.185.221.1730620TCP
                                  2024-12-16T07:24:22.650603+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749751147.185.221.1730620TCP
                                  2024-12-16T07:24:46.687454+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749803147.185.221.1730620TCP
                                  2024-12-16T07:24:46.687454+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749803147.185.221.1730620TCP
                                  2024-12-16T07:24:47.828553+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.749803147.185.221.1730620TCP
                                  2024-12-16T07:25:10.750212+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749859147.185.221.1730620TCP
                                  2024-12-16T07:25:10.750212+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749859147.185.221.1730620TCP
                                  2024-12-16T07:25:34.794300+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749912147.185.221.1730620TCP
                                  2024-12-16T07:25:34.794300+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749912147.185.221.1730620TCP
                                  2024-12-16T07:25:58.829680+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749965147.185.221.1730620TCP
                                  2024-12-16T07:25:58.829680+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749965147.185.221.1730620TCP
                                  2024-12-16T07:26:23.028794+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749978147.185.221.1730620TCP
                                  2024-12-16T07:26:23.028794+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749978147.185.221.1730620TCP
                                  2024-12-16T07:26:27.000700+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.749978147.185.221.1730620TCP
                                  2024-12-16T07:26:47.155397+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749979147.185.221.1730620TCP
                                  2024-12-16T07:26:47.155397+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749979147.185.221.1730620TCP
                                  2024-12-16T07:26:49.016502+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.749979147.185.221.1730620TCP
                                  2024-12-16T07:27:11.200852+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749980147.185.221.1730620TCP
                                  2024-12-16T07:27:11.200852+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749980147.185.221.1730620TCP
                                  2024-12-16T07:27:35.232085+01002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.749981147.185.221.1730620TCP
                                  2024-12-16T07:27:35.232085+01002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.749981147.185.221.1730620TCP
                                  2024-12-16T07:27:41.446148+01002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.749981147.185.221.1730620TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 16, 2024 07:23:58.500833988 CET4970130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:23:58.622582912 CET3062049701147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:23:58.622661114 CET4970130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:23:58.698019028 CET4970130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:23:58.817837954 CET3062049701147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:23:58.817893028 CET4970130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:23:58.937846899 CET3062049701147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:04.876444101 CET4970130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:04.996191978 CET3062049701147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:20.503690958 CET3062049701147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:20.503818035 CET4970130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:22.528219938 CET4970130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:22.529797077 CET4975130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:22.647969961 CET3062049701147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:22.649504900 CET3062049751147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:22.649575949 CET4975130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:22.650603056 CET4975130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:22.770282030 CET3062049751147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:22.770363092 CET4975130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:22.890125990 CET3062049751147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:44.550930023 CET3062049751147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:44.551035881 CET4975130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:46.563450098 CET4975130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:46.566596031 CET4980330620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:46.683432102 CET3062049751147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:46.686357975 CET3062049803147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:46.686561108 CET4980330620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:46.687453985 CET4980330620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:46.807226896 CET3062049803147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:46.807332993 CET4980330620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:46.927201986 CET3062049803147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:24:47.828552961 CET4980330620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:24:47.948384047 CET3062049803147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:08.618840933 CET3062049803147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:08.618974924 CET4980330620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:10.625458002 CET4980330620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:10.626734972 CET4985930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:10.745336056 CET3062049803147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:10.746530056 CET3062049859147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:10.746624947 CET4985930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:10.750211954 CET4985930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:10.869990110 CET3062049859147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:10.870165110 CET4985930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:10.990340948 CET3062049859147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:32.665421963 CET3062049859147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:32.665591955 CET4985930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:34.672353029 CET4985930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:34.673355103 CET4991230620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:34.792296886 CET3062049859147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:34.793104887 CET3062049912147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:34.793239117 CET4991230620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:34.794300079 CET4991230620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:34.914026976 CET3062049912147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:34.914119005 CET4991230620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:35.033868074 CET3062049912147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:56.697138071 CET3062049912147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:56.697336912 CET4991230620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:58.703730106 CET4991230620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:58.705298901 CET4996530620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:58.823873997 CET3062049912147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:58.825046062 CET3062049965147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:58.828310013 CET4996530620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:58.829679966 CET4996530620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:58.949562073 CET3062049965147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:25:58.949655056 CET4996530620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:25:59.069861889 CET3062049965147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:20.881879091 CET3062049965147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:20.881993055 CET4996530620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:22.906776905 CET4996530620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:22.907991886 CET4997830620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:23.026712894 CET3062049965147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:23.027715921 CET3062049978147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:23.027816057 CET4997830620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:23.028794050 CET4997830620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:23.148524046 CET3062049978147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:23.148665905 CET4997830620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:23.268637896 CET3062049978147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:27.000699997 CET4997830620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:27.120793104 CET3062049978147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:44.944425106 CET3062049978147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:44.944509983 CET4997830620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:47.032155037 CET4997830620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:47.034704924 CET4997930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:47.152295113 CET3062049978147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:47.154401064 CET3062049979147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:47.154516935 CET4997930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:47.155396938 CET4997930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:47.275249958 CET3062049979147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:47.275397062 CET4997930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:47.395294905 CET3062049979147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:26:49.016501904 CET4997930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:26:49.136557102 CET3062049979147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:09.069859028 CET3062049979147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:09.070014000 CET4997930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:11.078763962 CET4997930620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:11.079936981 CET4998030620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:11.198924065 CET3062049979147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:11.199647903 CET3062049980147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:11.199760914 CET4998030620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:11.200851917 CET4998030620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:11.320852995 CET3062049980147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:11.320913076 CET4998030620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:11.440854073 CET3062049980147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:33.105031967 CET3062049980147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:33.105175018 CET4998030620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:35.110023975 CET4998030620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:35.111274958 CET4998130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:35.230189085 CET3062049980147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:35.231062889 CET3062049981147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:35.231206894 CET4998130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:35.232084990 CET4998130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:35.353245020 CET3062049981147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:35.353308916 CET4998130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:35.474486113 CET3062049981147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:41.446147919 CET4998130620192.168.2.7147.185.221.17
                                  Dec 16, 2024 07:27:41.566370964 CET3062049981147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:57.128995895 CET3062049981147.185.221.17192.168.2.7
                                  Dec 16, 2024 07:27:57.129071951 CET4998130620192.168.2.7147.185.221.17

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 16, 2024 07:23:58.236129045 CET4999053192.168.2.71.1.1.1
                                  Dec 16, 2024 07:23:58.485513926 CET53499901.1.1.1192.168.2.7

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Dec 16, 2024 07:23:58.236129045 CET192.168.2.71.1.1.10x7fb5Standard query (0)exchange-reasonably.gl.at.ply.ggA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Dec 16, 2024 07:23:58.485513926 CET1.1.1.1192.168.2.70x7fb5No error (0)exchange-reasonably.gl.at.ply.gg147.185.221.17A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:5
                                  Start time:01:23:50
                                  Start date:16/12/2024
                                  Path:C:\Users\user\Desktop\Server1.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Server1.exe"
                                  Imagebase:0x980000
                                  File size:95'232 bytes
                                  MD5 hash:71B3810A22E1B51E8B88CD63B5E23BA0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, Author: unknown
                                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000005.00000000.1270611811.0000000000982000.00000002.00000001.01000000.00000004.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000005.00000002.3710332991.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:8
                                  Start time:01:23:53
                                  Start date:16/12/2024
                                  Path:C:\Windows\SysWOW64\netsh.exe
                                  Wow64 process (32bit):true
                                  Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\Server1.exe" "Server1.exe" ENABLE
                                  Imagebase:0x1770000
                                  File size:82'432 bytes
                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:01:23:53
                                  Start date:16/12/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff75da10000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:11.5%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:3.1%
                                    Total number of Nodes:96
                                    Total number of Limit Nodes:6
                                    execution_graph 19774 118ad1a 19777 118ad4f GetFileType 19774->19777 19776 118ad7c 19777->19776 19778 118b11a 19780 118b152 CreateMutexW 19778->19780 19781 118b195 19780->19781 19782 118a59a 19783 118a5d8 DuplicateHandle 19782->19783 19784 118a610 19782->19784 19785 118a5e6 19783->19785 19784->19783 19857 52c13ee 19858 52c1423 WSAConnect 19857->19858 19860 52c1442 19858->19860 19861 118af5e 19862 118af93 ReadFile 19861->19862 19864 118afc5 19862->19864 19865 118a65e 19866 118a68a CloseHandle 19865->19866 19867 118a6c0 19865->19867 19868 118a698 19866->19868 19867->19866 19869 52c226a 19870 52c2293 select 19869->19870 19872 52c22c8 19870->19872 19786 118aa12 19787 118aa7c 19786->19787 19788 118aa44 GetLongPathNameW 19786->19788 19787->19788 19789 118aa52 19788->19789 19790 52c1122 19792 52c1157 GetProcessTimes 19790->19792 19793 52c1189 19792->19793 19873 118ab56 19876 118ab8e CreateFileW 19873->19876 19875 118abdd 19876->19875 19794 52c24be 19795 52c24ed AdjustTokenPrivileges 19794->19795 19797 52c250f 19795->19797 19798 52c1fbe 19799 52c1ff6 RegCreateKeyExW 19798->19799 19801 52c2068 19799->19801 19877 118b3ca 19878 118b3ff RegQueryValueExW 19877->19878 19880 118b453 19878->19880 19802 52c263a 19804 52c266f GetExitCodeProcess 19802->19804 19805 52c2698 19804->19805 19881 52c27fa 19883 52c282f SetProcessWorkingSetSize 19881->19883 19884 52c285b 19883->19884 19806 52c0bb6 19808 52c0bee MapViewOfFile 19806->19808 19809 52c0c3d 19808->19809 19885 118b2c2 19886 118b2fa RegOpenKeyExW 19885->19886 19888 118b350 19886->19888 19892 118aac2 19893 118aaee SetErrorMode 19892->19893 19894 118ab17 19892->19894 19895 118ab03 19893->19895 19894->19893 19810 118a186 19811 118a1bb send 19810->19811 19812 118a1f3 19810->19812 19813 118a1c9 19811->19813 19812->19811 19814 52c218e 19816 52c21c3 ioctlsocket 19814->19816 19817 52c21ef 19816->19817 19818 52c120e 19819 52c1249 getaddrinfo 19818->19819 19821 52c12bb 19819->19821 19822 118b4be 19823 118b4f3 RegSetValueExW 19822->19823 19825 118b53f 19823->19825 19826 52c0a06 19827 52c0a3e ConvertStringSecurityDescriptorToSecurityDescriptorW 19826->19827 19829 52c0a7f 19827->19829 19830 52c1602 19831 52c165a 19830->19831 19832 52c1631 CoGetObjectContext 19830->19832 19831->19832 19833 52c1646 19832->19833 19834 52c169a 19836 52c16d5 LoadLibraryA 19834->19836 19837 52c1712 19836->19837 19838 118a72e 19839 118a77e OleGetClipboard 19838->19839 19840 118a78c 19839->19840 19896 52c0e5a 19899 52c0e8f shutdown 19896->19899 19898 52c0eb8 19899->19898 19845 52c2716 19848 52c274b GetProcessWorkingSetSize 19845->19848 19847 52c2777 19848->19847 19849 118b5a6 19852 118b5e1 SendMessageTimeoutA 19849->19852 19851 118b629 19852->19851 19853 52c0612 19855 52c064a WSASocketW 19853->19855 19856 52c0686 19855->19856

                                    Executed Functions

                                    Function 05154298 Relevance: 10.7, Strings: 7, Instructions: 1950COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 5154298-51542c9 2 5154352-515435a 0->2 3 51542cf-5154350 0->3 4 5154366-515437a 2->4 3->2 29 515435c 3->29 5 5154380-51543bc 4->5 6 515452f-515467d 4->6 17 51543ed-51544ef 5->17 18 51543be-51543e6 5->18 43 5154683-51547d2 6->43 44 515480d-5154821 6->44 17->6 18->17 29->4 43->44 46 5154827-5154934 44->46 47 515496f-5154983 44->47 46->47 48 5154985-515498b call 5154210 47->48 49 51549d6-51549ea 47->49 58 5154990-515499b 48->58 54 5154a32-5154a46 49->54 55 51549ec-51549f7 49->55 56 5154b94-5154ba8 54->56 57 5154a4c-5154b59 54->57 55->54 62 5154cd4-5154ce8 56->62 63 5154bae-5154bc2 56->63 57->56 58->49 67 5154f74-5154f88 62->67 68 5154cee-5154f2d 62->68 71 5154bc4-5154bcb 63->71 72 5154bd0-5154be4 63->72 75 5154fe2-5154ff6 67->75 76 5154f8a-5154f9b 67->76 68->67 78 5154c48-5154c5c 71->78 73 5154be6-5154bed 72->73 74 5154bef-5154c03 72->74 73->78 81 5154c05-5154c0c 74->81 82 5154c0e-5154c22 74->82 86 5155045-5155059 75->86 87 5154ff8-5154ffe 75->87 76->75 79 5154c76-5154c82 78->79 80 5154c5e-5154c74 78->80 94 5154c8d 79->94 80->94 81->78 91 5154c24-5154c2b 82->91 92 5154c2d-5154c41 82->92 89 51550a2-51550b6 86->89 90 515505b 86->90 87->86 96 515512d-5155141 89->96 97 51550b8-51550e1 89->97 90->89 91->78 92->78 99 5154c43-5154c45 92->99 94->62 105 51553b4-51553c8 96->105 106 5155147-5155363 96->106 97->96 99->78 112 515549e-51554b2 105->112 113 51553ce-5155457 105->113 491 5155365 106->491 492 5155367 106->492 116 515566f-5155683 112->116 117 51554b8-5155628 112->117 113->112 123 51557e6-51557fa 116->123 124 5155689-515579f 116->124 117->116 130 5155800-5155916 123->130 131 515595d-5155971 123->131 124->123 130->131 135 5155ad4-5155ae8 131->135 136 5155977-5155a8d 131->136 143 5155aee-5155c04 135->143 144 5155c4b-5155c5f 135->144 136->135 143->144 150 5155c65-5155d7b 144->150 151 5155dc2-5155dd6 144->151 150->151 156 5155ddc-5155ef2 151->156 157 5155f39-5155f4d 151->157 156->157 170 51560b0-51560c4 157->170 171 5155f53-5156069 157->171 179 5156227-515623b 170->179 180 51560ca-51561e0 170->180 171->170 187 5156241-5156357 179->187 188 515639e-51563b2 179->188 180->179 187->188 195 5156536-515654a 188->195 196 51563b8-51563fd call 5154278 188->196 202 5156550-515656f 195->202 203 515668d-51566a1 195->203 321 51564bd-51564df 196->321 235 5156614-5156636 202->235 213 51566a7-51567a7 203->213 214 51567ee-5156802 203->214 213->214 222 515694f-5156963 214->222 223 5156808-5156908 214->223 241 5156ab0-5156ada 222->241 242 5156969-5156a69 222->242 223->222 248 5156574-5156583 235->248 249 515663c 235->249 262 5156ae0-5156b53 241->262 263 5156b9a-5156bae 241->263 242->241 259 515663e 248->259 260 5156589-51565bc 248->260 249->203 292 5156643-515668b 259->292 353 5156603-515660c 260->353 354 51565be-51565f8 260->354 262->263 276 5156bb4-5156c44 263->276 277 5156c8b-5156c9f 263->277 276->277 281 5156de5-5156df9 277->281 282 5156ca5-5156d9e 277->282 296 515705c-5157070 281->296 297 5156dff-5156e4f 281->297 282->281 292->203 305 5157076-5157111 call 5154278 * 2 296->305 306 5157158-515715f 296->306 417 5156e51-5156e77 297->417 418 5156ebd-5156ee8 297->418 305->306 334 51564e5 321->334 335 5156402-5156411 321->335 334->195 350 51564e7 335->350 351 5156417-51564b5 335->351 379 51564ec-5156534 350->379 351->379 490 51564b7 351->490 353->292 370 515660e 353->370 354->353 370->235 379->195 493 5156e79-5156e99 417->493 494 5156eb8 417->494 486 5156fc6-5157057 418->486 487 5156eee-5156fc1 418->487 486->296 487->296 490->321 496 515536d 491->496 492->496 493->494 494->296 496->105
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl$:@cl$:@cl$:@cl$:@cl$@
                                    • API String ID: 0-2663817365
                                    • Opcode ID: 8716b966bc84396fbdf390ee2ca3a74b4001dce554ad42bfa6d03585a2f4da8b
                                    • Instruction ID: 936051756fddfda9b1227880c10bf5c2366fc27379e57c12aa3dcf773101a0ae
                                    • Opcode Fuzzy Hash: 8716b966bc84396fbdf390ee2ca3a74b4001dce554ad42bfa6d03585a2f4da8b
                                    • Instruction Fuzzy Hash: 6B233A74A0122CCFDB25EF34D9A4BA9B7B2BB88308F4040EAD91967394DB355E85CF50
                                    Function 05154287 Relevance: 10.5, Strings: 7, Instructions: 1751COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 555 5154287-51542c9 558 5154352-515435a 555->558 559 51542cf-5154350 555->559 560 5154366-515437a 558->560 559->558 585 515435c 559->585 561 5154380-51543bc 560->561 562 515452f-515467d 560->562 573 51543ed-51544ef 561->573 574 51543be-51543e6 561->574 599 5154683-51547d2 562->599 600 515480d-5154821 562->600 573->562 574->573 585->560 599->600 602 5154827-5154934 600->602 603 515496f-5154983 600->603 602->603 604 5154985-515498b call 5154210 603->604 605 51549d6-51549ea 603->605 614 5154990-515499b 604->614 610 5154a32-5154a46 605->610 611 51549ec-51549f7 605->611 612 5154b94-5154ba8 610->612 613 5154a4c-5154b59 610->613 611->610 618 5154cd4-5154ce8 612->618 619 5154bae-5154bc2 612->619 613->612 614->605 623 5154f74-5154f88 618->623 624 5154cee-5154f2d 618->624 627 5154bc4-5154bcb 619->627 628 5154bd0-5154be4 619->628 631 5154fe2-5154ff6 623->631 632 5154f8a-5154f9b 623->632 624->623 634 5154c48-5154c5c 627->634 629 5154be6-5154bed 628->629 630 5154bef-5154c03 628->630 629->634 637 5154c05-5154c0c 630->637 638 5154c0e-5154c22 630->638 642 5155045-5155059 631->642 643 5154ff8-5154ffe 631->643 632->631 635 5154c76-5154c82 634->635 636 5154c5e-5154c74 634->636 650 5154c8d 635->650 636->650 637->634 647 5154c24-5154c2b 638->647 648 5154c2d-5154c41 638->648 645 51550a2-51550b6 642->645 646 515505b 642->646 643->642 652 515512d-5155141 645->652 653 51550b8-51550e1 645->653 646->645 647->634 648->634 655 5154c43-5154c45 648->655 650->618 661 51553b4-51553c8 652->661 662 5155147-5155363 652->662 653->652 655->634 668 515549e-51554b2 661->668 669 51553ce-5155457 661->669 1047 5155365 662->1047 1048 5155367 662->1048 672 515566f-5155683 668->672 673 51554b8-5155628 668->673 669->668 679 51557e6-51557fa 672->679 680 5155689-515579f 672->680 673->672 686 5155800-5155916 679->686 687 515595d-5155971 679->687 680->679 686->687 691 5155ad4-5155ae8 687->691 692 5155977-5155a8d 687->692 699 5155aee-5155c04 691->699 700 5155c4b-5155c5f 691->700 692->691 699->700 706 5155c65-5155d7b 700->706 707 5155dc2-5155dd6 700->707 706->707 712 5155ddc-5155ef2 707->712 713 5155f39-5155f4d 707->713 712->713 726 51560b0-51560c4 713->726 727 5155f53-5156069 713->727 735 5156227-515623b 726->735 736 51560ca-51561e0 726->736 727->726 743 5156241-5156357 735->743 744 515639e-51563b2 735->744 736->735 743->744 751 5156536-515654a 744->751 752 51563b8-51563fd call 5154278 744->752 758 5156550-515656f 751->758 759 515668d-51566a1 751->759 877 51564bd-51564df 752->877 791 5156614-5156636 758->791 769 51566a7-51567a7 759->769 770 51567ee-5156802 759->770 769->770 778 515694f-5156963 770->778 779 5156808-5156908 770->779 797 5156ab0-5156ada 778->797 798 5156969-5156a69 778->798 779->778 804 5156574-5156583 791->804 805 515663c 791->805 818 5156ae0-5156b53 797->818 819 5156b9a-5156bae 797->819 798->797 815 515663e 804->815 816 5156589-51565bc 804->816 805->759 848 5156643-515668b 815->848 909 5156603-515660c 816->909 910 51565be-51565f8 816->910 818->819 832 5156bb4-5156c44 819->832 833 5156c8b-5156c9f 819->833 832->833 837 5156de5-5156df9 833->837 838 5156ca5-5156d9e 833->838 852 515705c-5157070 837->852 853 5156dff-5156e4f 837->853 838->837 848->759 861 5157076-5157111 call 5154278 * 2 852->861 862 5157158-515715f 852->862 973 5156e51-5156e77 853->973 974 5156ebd-5156ee8 853->974 861->862 890 51564e5 877->890 891 5156402-5156411 877->891 890->751 906 51564e7 891->906 907 5156417-51564b5 891->907 935 51564ec-5156534 906->935 907->935 1046 51564b7 907->1046 909->848 926 515660e 909->926 910->909 926->791 935->751 1049 5156e79-5156e99 973->1049 1050 5156eb8 973->1050 1042 5156fc6-5157057 974->1042 1043 5156eee-5156fc1 974->1043 1042->852 1043->852 1046->877 1052 515536d 1047->1052 1048->1052 1049->1050 1050->852 1052->661
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-1110365883
                                    • Opcode ID: 2f0e9060797203ad09426a05b98e8d6d056fbb20dd398c45279d2cef4a1b40b7
                                    • Instruction ID: 1d28ed24fb5c33ae85d644ebe7d4cf7ed32fbcff690556408ee2c136354ca7af
                                    • Opcode Fuzzy Hash: 2f0e9060797203ad09426a05b98e8d6d056fbb20dd398c45279d2cef4a1b40b7
                                    • Instruction Fuzzy Hash: 4B132874A01228CFDB25EF34D9A4BA9B7B2FB48308F4041EAD91967398DB715E85CF50
                                    Function 051544F1 Relevance: 10.4, Strings: 7, Instructions: 1624COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1111 51544f1-515467d 1132 5154683-51547d2 1111->1132 1133 515480d-5154821 1111->1133 1132->1133 1134 5154827-5154934 1133->1134 1135 515496f-5154983 1133->1135 1134->1135 1136 5154985-515498b call 5154210 1135->1136 1137 51549d6-51549ea 1135->1137 1145 5154990-515499b 1136->1145 1141 5154a32-5154a46 1137->1141 1142 51549ec-51549f7 1137->1142 1143 5154b94-5154ba8 1141->1143 1144 5154a4c-5154b59 1141->1144 1142->1141 1148 5154cd4-5154ce8 1143->1148 1149 5154bae-5154bc2 1143->1149 1144->1143 1145->1137 1152 5154f74-5154f88 1148->1152 1153 5154cee-5154f2d 1148->1153 1156 5154bc4-5154bcb 1149->1156 1157 5154bd0-5154be4 1149->1157 1160 5154fe2-5154ff6 1152->1160 1161 5154f8a-5154f9b 1152->1161 1153->1152 1163 5154c48-5154c5c 1156->1163 1158 5154be6-5154bed 1157->1158 1159 5154bef-5154c03 1157->1159 1158->1163 1166 5154c05-5154c0c 1159->1166 1167 5154c0e-5154c22 1159->1167 1170 5155045-5155059 1160->1170 1171 5154ff8-5154ffe 1160->1171 1161->1160 1164 5154c76-5154c82 1163->1164 1165 5154c5e-5154c74 1163->1165 1178 5154c8d 1164->1178 1165->1178 1166->1163 1175 5154c24-5154c2b 1167->1175 1176 5154c2d-5154c41 1167->1176 1173 51550a2-51550b6 1170->1173 1174 515505b 1170->1174 1171->1170 1180 515512d-5155141 1173->1180 1181 51550b8-51550e1 1173->1181 1174->1173 1175->1163 1176->1163 1182 5154c43-5154c45 1176->1182 1178->1148 1188 51553b4-51553c8 1180->1188 1189 5155147-5155363 1180->1189 1181->1180 1182->1163 1194 515549e-51554b2 1188->1194 1195 51553ce-5155457 1188->1195 1571 5155365 1189->1571 1572 5155367 1189->1572 1198 515566f-5155683 1194->1198 1199 51554b8-5155628 1194->1199 1195->1194 1204 51557e6-51557fa 1198->1204 1205 5155689-515579f 1198->1205 1199->1198 1211 5155800-5155916 1204->1211 1212 515595d-5155971 1204->1212 1205->1204 1211->1212 1216 5155ad4-5155ae8 1212->1216 1217 5155977-5155a8d 1212->1217 1226 5155aee-5155c04 1216->1226 1227 5155c4b-5155c5f 1216->1227 1217->1216 1226->1227 1230 5155c65-5155d7b 1227->1230 1231 5155dc2-5155dd6 1227->1231 1230->1231 1236 5155ddc-5155ef2 1231->1236 1237 5155f39-5155f4d 1231->1237 1236->1237 1250 51560b0-51560c4 1237->1250 1251 5155f53-5156069 1237->1251 1259 5156227-515623b 1250->1259 1260 51560ca-51561e0 1250->1260 1251->1250 1267 5156241-5156357 1259->1267 1268 515639e-51563b2 1259->1268 1260->1259 1267->1268 1275 5156536-515654a 1268->1275 1276 51563b8-51563fd call 5154278 1268->1276 1282 5156550-515656f 1275->1282 1283 515668d-51566a1 1275->1283 1401 51564bd-51564df 1276->1401 1315 5156614-5156636 1282->1315 1293 51566a7-51567a7 1283->1293 1294 51567ee-5156802 1283->1294 1293->1294 1302 515694f-5156963 1294->1302 1303 5156808-5156908 1294->1303 1321 5156ab0-5156ada 1302->1321 1322 5156969-5156a69 1302->1322 1303->1302 1328 5156574-5156583 1315->1328 1329 515663c 1315->1329 1342 5156ae0-5156b53 1321->1342 1343 5156b9a-5156bae 1321->1343 1322->1321 1339 515663e 1328->1339 1340 5156589-51565bc 1328->1340 1329->1283 1372 5156643-515668b 1339->1372 1433 5156603-515660c 1340->1433 1434 51565be-51565f8 1340->1434 1342->1343 1356 5156bb4-5156c44 1343->1356 1357 5156c8b-5156c9f 1343->1357 1356->1357 1361 5156de5-5156df9 1357->1361 1362 5156ca5-5156d9e 1357->1362 1376 515705c-5157070 1361->1376 1377 5156dff-5156e4f 1361->1377 1362->1361 1372->1283 1385 5157076-5157111 call 5154278 * 2 1376->1385 1386 5157158-515715f 1376->1386 1497 5156e51-5156e77 1377->1497 1498 5156ebd-5156ee8 1377->1498 1385->1386 1414 51564e5 1401->1414 1415 5156402-5156411 1401->1415 1414->1275 1430 51564e7 1415->1430 1431 5156417-51564b5 1415->1431 1459 51564ec-5156534 1430->1459 1431->1459 1570 51564b7 1431->1570 1433->1372 1450 515660e 1433->1450 1434->1433 1450->1315 1459->1275 1573 5156e79-5156e99 1497->1573 1574 5156eb8 1497->1574 1566 5156fc6-5157057 1498->1566 1567 5156eee-5156fc1 1498->1567 1566->1376 1567->1376 1570->1401 1576 515536d 1571->1576 1572->1576 1573->1574 1574->1376 1576->1188
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-1110365883
                                    • Opcode ID: 6d93ff4309f9bdd3d12412c1edd72a203f08ac263d112eed760899ab70f41cf9
                                    • Instruction ID: 871ee089454f7a4e3fabcfcc83b3cd13f39cf680a6a9c42119edbe3e2d2ef1cc
                                    • Opcode Fuzzy Hash: 6d93ff4309f9bdd3d12412c1edd72a203f08ac263d112eed760899ab70f41cf9
                                    • Instruction Fuzzy Hash: 9C033774A0122CCFDB25EF34D9A4BA9B7B2BB48308F4041EAD91967398DB715E85CF50
                                    Function 05154544 Relevance: 10.4, Strings: 7, Instructions: 1618COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1635 5154544-515467d 1653 5154683-51547d2 1635->1653 1654 515480d-5154821 1635->1654 1653->1654 1655 5154827-5154934 1654->1655 1656 515496f-5154983 1654->1656 1655->1656 1657 5154985-515498b call 5154210 1656->1657 1658 51549d6-51549ea 1656->1658 1666 5154990-515499b 1657->1666 1662 5154a32-5154a46 1658->1662 1663 51549ec-51549f7 1658->1663 1664 5154b94-5154ba8 1662->1664 1665 5154a4c-5154b59 1662->1665 1663->1662 1669 5154cd4-5154ce8 1664->1669 1670 5154bae-5154bc2 1664->1670 1665->1664 1666->1658 1673 5154f74-5154f88 1669->1673 1674 5154cee-5154f2d 1669->1674 1677 5154bc4-5154bcb 1670->1677 1678 5154bd0-5154be4 1670->1678 1681 5154fe2-5154ff6 1673->1681 1682 5154f8a-5154f9b 1673->1682 1674->1673 1684 5154c48-5154c5c 1677->1684 1679 5154be6-5154bed 1678->1679 1680 5154bef-5154c03 1678->1680 1679->1684 1687 5154c05-5154c0c 1680->1687 1688 5154c0e-5154c22 1680->1688 1691 5155045-5155059 1681->1691 1692 5154ff8-5154ffe 1681->1692 1682->1681 1685 5154c76-5154c82 1684->1685 1686 5154c5e-5154c74 1684->1686 1699 5154c8d 1685->1699 1686->1699 1687->1684 1696 5154c24-5154c2b 1688->1696 1697 5154c2d-5154c41 1688->1697 1694 51550a2-51550b6 1691->1694 1695 515505b 1691->1695 1692->1691 1701 515512d-5155141 1694->1701 1702 51550b8-51550e1 1694->1702 1695->1694 1696->1684 1697->1684 1703 5154c43-5154c45 1697->1703 1699->1669 1709 51553b4-51553c8 1701->1709 1710 5155147-5155363 1701->1710 1702->1701 1703->1684 1715 515549e-51554b2 1709->1715 1716 51553ce-5155457 1709->1716 2092 5155365 1710->2092 2093 5155367 1710->2093 1719 515566f-5155683 1715->1719 1720 51554b8-5155628 1715->1720 1716->1715 1725 51557e6-51557fa 1719->1725 1726 5155689-515579f 1719->1726 1720->1719 1732 5155800-5155916 1725->1732 1733 515595d-5155971 1725->1733 1726->1725 1732->1733 1737 5155ad4-5155ae8 1733->1737 1738 5155977-5155a8d 1733->1738 1747 5155aee-5155c04 1737->1747 1748 5155c4b-5155c5f 1737->1748 1738->1737 1747->1748 1751 5155c65-5155d7b 1748->1751 1752 5155dc2-5155dd6 1748->1752 1751->1752 1757 5155ddc-5155ef2 1752->1757 1758 5155f39-5155f4d 1752->1758 1757->1758 1771 51560b0-51560c4 1758->1771 1772 5155f53-5156069 1758->1772 1780 5156227-515623b 1771->1780 1781 51560ca-51561e0 1771->1781 1772->1771 1788 5156241-5156357 1780->1788 1789 515639e-51563b2 1780->1789 1781->1780 1788->1789 1796 5156536-515654a 1789->1796 1797 51563b8-51563fd call 5154278 1789->1797 1803 5156550-515656f 1796->1803 1804 515668d-51566a1 1796->1804 1922 51564bd-51564df 1797->1922 1836 5156614-5156636 1803->1836 1814 51566a7-51567a7 1804->1814 1815 51567ee-5156802 1804->1815 1814->1815 1823 515694f-5156963 1815->1823 1824 5156808-5156908 1815->1824 1842 5156ab0-5156ada 1823->1842 1843 5156969-5156a69 1823->1843 1824->1823 1849 5156574-5156583 1836->1849 1850 515663c 1836->1850 1863 5156ae0-5156b53 1842->1863 1864 5156b9a-5156bae 1842->1864 1843->1842 1860 515663e 1849->1860 1861 5156589-51565bc 1849->1861 1850->1804 1893 5156643-515668b 1860->1893 1954 5156603-515660c 1861->1954 1955 51565be-51565f8 1861->1955 1863->1864 1877 5156bb4-5156c44 1864->1877 1878 5156c8b-5156c9f 1864->1878 1877->1878 1882 5156de5-5156df9 1878->1882 1883 5156ca5-5156d9e 1878->1883 1897 515705c-5157070 1882->1897 1898 5156dff-5156e4f 1882->1898 1883->1882 1893->1804 1906 5157076-5157111 call 5154278 * 2 1897->1906 1907 5157158-515715f 1897->1907 2018 5156e51-5156e77 1898->2018 2019 5156ebd-5156ee8 1898->2019 1906->1907 1935 51564e5 1922->1935 1936 5156402-5156411 1922->1936 1935->1796 1951 51564e7 1936->1951 1952 5156417-51564b5 1936->1952 1980 51564ec-5156534 1951->1980 1952->1980 2091 51564b7 1952->2091 1954->1893 1971 515660e 1954->1971 1955->1954 1971->1836 1980->1796 2094 5156e79-5156e99 2018->2094 2095 5156eb8 2018->2095 2087 5156fc6-5157057 2019->2087 2088 5156eee-5156fc1 2019->2088 2087->1897 2088->1897 2091->1922 2097 515536d 2092->2097 2093->2097 2094->2095 2095->1897 2097->1709
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-1110365883
                                    • Opcode ID: 77efdd1b56ba3b5c8ceec74117290ed0ad3e327e42b04de345740ff589cd27b4
                                    • Instruction ID: 696f06d979d53b7e25ccc91ae045fdada09000495927ed8f3d19699cf16f6757
                                    • Opcode Fuzzy Hash: 77efdd1b56ba3b5c8ceec74117290ed0ad3e327e42b04de345740ff589cd27b4
                                    • Instruction Fuzzy Hash: 6B033874A0122CCFDB25EF34D9A4BA9B7B2BB48308F4041EAD91967398DB715E85CF50
                                    Function 05154630 Relevance: 9.1, Strings: 6, Instructions: 1579COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2156 5154630-515467d 2163 5154683-51547d2 2156->2163 2164 515480d-5154821 2156->2164 2163->2164 2165 5154827-5154934 2164->2165 2166 515496f-5154983 2164->2166 2165->2166 2167 5154985-515498b call 5154210 2166->2167 2168 51549d6-51549ea 2166->2168 2176 5154990-515499b 2167->2176 2172 5154a32-5154a46 2168->2172 2173 51549ec-51549f7 2168->2173 2174 5154b94-5154ba8 2172->2174 2175 5154a4c-5154b59 2172->2175 2173->2172 2179 5154cd4-5154ce8 2174->2179 2180 5154bae-5154bc2 2174->2180 2175->2174 2176->2168 2183 5154f74-5154f88 2179->2183 2184 5154cee-5154f2d 2179->2184 2187 5154bc4-5154bcb 2180->2187 2188 5154bd0-5154be4 2180->2188 2191 5154fe2-5154ff6 2183->2191 2192 5154f8a-5154f9b 2183->2192 2184->2183 2194 5154c48-5154c5c 2187->2194 2189 5154be6-5154bed 2188->2189 2190 5154bef-5154c03 2188->2190 2189->2194 2197 5154c05-5154c0c 2190->2197 2198 5154c0e-5154c22 2190->2198 2201 5155045-5155059 2191->2201 2202 5154ff8-5154ffe 2191->2202 2192->2191 2195 5154c76-5154c82 2194->2195 2196 5154c5e-5154c74 2194->2196 2209 5154c8d 2195->2209 2196->2209 2197->2194 2206 5154c24-5154c2b 2198->2206 2207 5154c2d-5154c41 2198->2207 2204 51550a2-51550b6 2201->2204 2205 515505b 2201->2205 2202->2201 2211 515512d-5155141 2204->2211 2212 51550b8-51550e1 2204->2212 2205->2204 2206->2194 2207->2194 2213 5154c43-5154c45 2207->2213 2209->2179 2219 51553b4-51553c8 2211->2219 2220 5155147-5155363 2211->2220 2212->2211 2213->2194 2225 515549e-51554b2 2219->2225 2226 51553ce-5155457 2219->2226 2602 5155365 2220->2602 2603 5155367 2220->2603 2229 515566f-5155683 2225->2229 2230 51554b8-5155628 2225->2230 2226->2225 2235 51557e6-51557fa 2229->2235 2236 5155689-515579f 2229->2236 2230->2229 2242 5155800-5155916 2235->2242 2243 515595d-5155971 2235->2243 2236->2235 2242->2243 2247 5155ad4-5155ae8 2243->2247 2248 5155977-5155a8d 2243->2248 2257 5155aee-5155c04 2247->2257 2258 5155c4b-5155c5f 2247->2258 2248->2247 2257->2258 2261 5155c65-5155d7b 2258->2261 2262 5155dc2-5155dd6 2258->2262 2261->2262 2267 5155ddc-5155ef2 2262->2267 2268 5155f39-5155f4d 2262->2268 2267->2268 2281 51560b0-51560c4 2268->2281 2282 5155f53-5156069 2268->2282 2290 5156227-515623b 2281->2290 2291 51560ca-51561e0 2281->2291 2282->2281 2298 5156241-5156357 2290->2298 2299 515639e-51563b2 2290->2299 2291->2290 2298->2299 2306 5156536-515654a 2299->2306 2307 51563b8-51563fd call 5154278 2299->2307 2313 5156550-515656f 2306->2313 2314 515668d-51566a1 2306->2314 2432 51564bd-51564df 2307->2432 2346 5156614-5156636 2313->2346 2324 51566a7-51567a7 2314->2324 2325 51567ee-5156802 2314->2325 2324->2325 2333 515694f-5156963 2325->2333 2334 5156808-5156908 2325->2334 2352 5156ab0-5156ada 2333->2352 2353 5156969-5156a69 2333->2353 2334->2333 2359 5156574-5156583 2346->2359 2360 515663c 2346->2360 2373 5156ae0-5156b53 2352->2373 2374 5156b9a-5156bae 2352->2374 2353->2352 2370 515663e 2359->2370 2371 5156589-51565bc 2359->2371 2360->2314 2403 5156643-515668b 2370->2403 2464 5156603-515660c 2371->2464 2465 51565be-51565f8 2371->2465 2373->2374 2387 5156bb4-5156c44 2374->2387 2388 5156c8b-5156c9f 2374->2388 2387->2388 2392 5156de5-5156df9 2388->2392 2393 5156ca5-5156d9e 2388->2393 2407 515705c-5157070 2392->2407 2408 5156dff-5156e4f 2392->2408 2393->2392 2403->2314 2416 5157076-5157111 call 5154278 * 2 2407->2416 2417 5157158-515715f 2407->2417 2528 5156e51-5156e77 2408->2528 2529 5156ebd-5156ee8 2408->2529 2416->2417 2445 51564e5 2432->2445 2446 5156402-5156411 2432->2446 2445->2306 2461 51564e7 2446->2461 2462 5156417-51564b5 2446->2462 2490 51564ec-5156534 2461->2490 2462->2490 2601 51564b7 2462->2601 2464->2403 2481 515660e 2464->2481 2465->2464 2481->2346 2490->2306 2604 5156e79-5156e99 2528->2604 2605 5156eb8 2528->2605 2597 5156fc6-5157057 2529->2597 2598 5156eee-5156fc1 2529->2598 2597->2407 2598->2407 2601->2432 2607 515536d 2602->2607 2603->2607 2604->2605 2605->2407 2607->2219
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-3491856805
                                    • Opcode ID: 56dfeec3e48b47e9ee37506378c12e17a91098bb992a304edffd5e97ee75801d
                                    • Instruction ID: c887cca3963aa9510f242f934ecc9af2703b679d7f097971264ef30aa1efdd8f
                                    • Opcode Fuzzy Hash: 56dfeec3e48b47e9ee37506378c12e17a91098bb992a304edffd5e97ee75801d
                                    • Instruction Fuzzy Hash: 8C033874A0122CCFDB25EF34D9A4BA9B7B2BB48308F4041EAD91967398DB715E85CF50
                                    Function 0515470F Relevance: 9.0, Strings: 6, Instructions: 1544COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2666 515470f-5154821 2680 5154827-5154934 2666->2680 2681 515496f-5154983 2666->2681 2680->2681 2682 5154985-515498b call 5154210 2681->2682 2683 51549d6-51549ea 2681->2683 2690 5154990-515499b 2682->2690 2686 5154a32-5154a46 2683->2686 2687 51549ec-51549f7 2683->2687 2688 5154b94-5154ba8 2686->2688 2689 5154a4c-5154b59 2686->2689 2687->2686 2692 5154cd4-5154ce8 2688->2692 2693 5154bae-5154bc2 2688->2693 2689->2688 2690->2683 2696 5154f74-5154f88 2692->2696 2697 5154cee-5154f2d 2692->2697 2699 5154bc4-5154bcb 2693->2699 2700 5154bd0-5154be4 2693->2700 2703 5154fe2-5154ff6 2696->2703 2704 5154f8a-5154f9b 2696->2704 2697->2696 2706 5154c48-5154c5c 2699->2706 2701 5154be6-5154bed 2700->2701 2702 5154bef-5154c03 2700->2702 2701->2706 2709 5154c05-5154c0c 2702->2709 2710 5154c0e-5154c22 2702->2710 2713 5155045-5155059 2703->2713 2714 5154ff8-5154ffe 2703->2714 2704->2703 2707 5154c76-5154c82 2706->2707 2708 5154c5e-5154c74 2706->2708 2720 5154c8d 2707->2720 2708->2720 2709->2706 2717 5154c24-5154c2b 2710->2717 2718 5154c2d-5154c41 2710->2718 2715 51550a2-51550b6 2713->2715 2716 515505b 2713->2716 2714->2713 2722 515512d-5155141 2715->2722 2723 51550b8-51550e1 2715->2723 2716->2715 2717->2706 2718->2706 2726 5154c43-5154c45 2718->2726 2720->2692 2729 51553b4-51553c8 2722->2729 2730 5155147-5155363 2722->2730 2723->2722 2726->2706 2733 515549e-51554b2 2729->2733 2734 51553ce-5155457 2729->2734 3104 5155365 2730->3104 3105 5155367 2730->3105 2738 515566f-5155683 2733->2738 2739 51554b8-5155628 2733->2739 2734->2733 2745 51557e6-51557fa 2738->2745 2746 5155689-515579f 2738->2746 2739->2738 2749 5155800-5155916 2745->2749 2750 515595d-5155971 2745->2750 2746->2745 2749->2750 2755 5155ad4-5155ae8 2750->2755 2756 5155977-5155a8d 2750->2756 2763 5155aee-5155c04 2755->2763 2764 5155c4b-5155c5f 2755->2764 2756->2755 2763->2764 2767 5155c65-5155d7b 2764->2767 2768 5155dc2-5155dd6 2764->2768 2767->2768 2774 5155ddc-5155ef2 2768->2774 2775 5155f39-5155f4d 2768->2775 2774->2775 2786 51560b0-51560c4 2775->2786 2787 5155f53-5156069 2775->2787 2794 5156227-515623b 2786->2794 2795 51560ca-51561e0 2786->2795 2787->2786 2802 5156241-5156357 2794->2802 2803 515639e-51563b2 2794->2803 2795->2794 2802->2803 2810 5156536-515654a 2803->2810 2811 51563b8-51563fd call 5154278 2803->2811 2816 5156550-515656f 2810->2816 2817 515668d-51566a1 2810->2817 2934 51564bd-51564df 2811->2934 2848 5156614-5156636 2816->2848 2827 51566a7-51567a7 2817->2827 2828 51567ee-5156802 2817->2828 2827->2828 2835 515694f-5156963 2828->2835 2836 5156808-5156908 2828->2836 2854 5156ab0-5156ada 2835->2854 2855 5156969-5156a69 2835->2855 2836->2835 2861 5156574-5156583 2848->2861 2862 515663c 2848->2862 2875 5156ae0-5156b53 2854->2875 2876 5156b9a-5156bae 2854->2876 2855->2854 2872 515663e 2861->2872 2873 5156589-51565bc 2861->2873 2862->2817 2905 5156643-515668b 2872->2905 2966 5156603-515660c 2873->2966 2967 51565be-51565f8 2873->2967 2875->2876 2889 5156bb4-5156c44 2876->2889 2890 5156c8b-5156c9f 2876->2890 2889->2890 2894 5156de5-5156df9 2890->2894 2895 5156ca5-5156d9e 2890->2895 2909 515705c-5157070 2894->2909 2910 5156dff-5156e4f 2894->2910 2895->2894 2905->2817 2918 5157076-5157111 call 5154278 * 2 2909->2918 2919 5157158-515715f 2909->2919 3030 5156e51-5156e77 2910->3030 3031 5156ebd-5156ee8 2910->3031 2918->2919 2947 51564e5 2934->2947 2948 5156402-5156411 2934->2948 2947->2810 2963 51564e7 2948->2963 2964 5156417-51564b5 2948->2964 2992 51564ec-5156534 2963->2992 2964->2992 3103 51564b7 2964->3103 2966->2905 2983 515660e 2966->2983 2967->2966 2983->2848 2992->2810 3106 5156e79-5156e99 3030->3106 3107 5156eb8 3030->3107 3099 5156fc6-5157057 3031->3099 3100 5156eee-5156fc1 3031->3100 3099->2909 3100->2909 3103->2934 3109 515536d 3104->3109 3105->3109 3106->3107 3107->2909 3109->2729
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-3491856805
                                    • Opcode ID: 56c04a5a5b7c1e8bd1fa8031c28370accb0a0b2d2a36b85622cb514f37e582a9
                                    • Instruction ID: 89a92991667c4c9504644157269c139173bed297703e687c8fc20ad824294726
                                    • Opcode Fuzzy Hash: 56c04a5a5b7c1e8bd1fa8031c28370accb0a0b2d2a36b85622cb514f37e582a9
                                    • Instruction Fuzzy Hash: F5F23874A0122CCFDB25EF34D9A4BA9B7B2BB48308F4041EAD91967398DB715E85CF50
                                    Function 051547D4 Relevance: 9.0, Strings: 6, Instructions: 1513COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3168 51547d4-5154821 3175 5154827-5154934 3168->3175 3176 515496f-5154983 3168->3176 3175->3176 3177 5154985-515498b call 5154210 3176->3177 3178 51549d6-51549ea 3176->3178 3185 5154990-515499b 3177->3185 3181 5154a32-5154a46 3178->3181 3182 51549ec-51549f7 3178->3182 3183 5154b94-5154ba8 3181->3183 3184 5154a4c-5154b59 3181->3184 3182->3181 3187 5154cd4-5154ce8 3183->3187 3188 5154bae-5154bc2 3183->3188 3184->3183 3185->3178 3191 5154f74-5154f88 3187->3191 3192 5154cee-5154f2d 3187->3192 3194 5154bc4-5154bcb 3188->3194 3195 5154bd0-5154be4 3188->3195 3198 5154fe2-5154ff6 3191->3198 3199 5154f8a-5154f9b 3191->3199 3192->3191 3201 5154c48-5154c5c 3194->3201 3196 5154be6-5154bed 3195->3196 3197 5154bef-5154c03 3195->3197 3196->3201 3204 5154c05-5154c0c 3197->3204 3205 5154c0e-5154c22 3197->3205 3208 5155045-5155059 3198->3208 3209 5154ff8-5154ffe 3198->3209 3199->3198 3202 5154c76-5154c82 3201->3202 3203 5154c5e-5154c74 3201->3203 3215 5154c8d 3202->3215 3203->3215 3204->3201 3212 5154c24-5154c2b 3205->3212 3213 5154c2d-5154c41 3205->3213 3210 51550a2-51550b6 3208->3210 3211 515505b 3208->3211 3209->3208 3217 515512d-5155141 3210->3217 3218 51550b8-51550e1 3210->3218 3211->3210 3212->3201 3213->3201 3221 5154c43-5154c45 3213->3221 3215->3187 3224 51553b4-51553c8 3217->3224 3225 5155147-5155363 3217->3225 3218->3217 3221->3201 3228 515549e-51554b2 3224->3228 3229 51553ce-5155457 3224->3229 3599 5155365 3225->3599 3600 5155367 3225->3600 3233 515566f-5155683 3228->3233 3234 51554b8-5155628 3228->3234 3229->3228 3240 51557e6-51557fa 3233->3240 3241 5155689-515579f 3233->3241 3234->3233 3244 5155800-5155916 3240->3244 3245 515595d-5155971 3240->3245 3241->3240 3244->3245 3250 5155ad4-5155ae8 3245->3250 3251 5155977-5155a8d 3245->3251 3258 5155aee-5155c04 3250->3258 3259 5155c4b-5155c5f 3250->3259 3251->3250 3258->3259 3262 5155c65-5155d7b 3259->3262 3263 5155dc2-5155dd6 3259->3263 3262->3263 3269 5155ddc-5155ef2 3263->3269 3270 5155f39-5155f4d 3263->3270 3269->3270 3281 51560b0-51560c4 3270->3281 3282 5155f53-5156069 3270->3282 3289 5156227-515623b 3281->3289 3290 51560ca-51561e0 3281->3290 3282->3281 3297 5156241-5156357 3289->3297 3298 515639e-51563b2 3289->3298 3290->3289 3297->3298 3305 5156536-515654a 3298->3305 3306 51563b8-51563fd call 5154278 3298->3306 3311 5156550-515656f 3305->3311 3312 515668d-51566a1 3305->3312 3429 51564bd-51564df 3306->3429 3343 5156614-5156636 3311->3343 3322 51566a7-51567a7 3312->3322 3323 51567ee-5156802 3312->3323 3322->3323 3330 515694f-5156963 3323->3330 3331 5156808-5156908 3323->3331 3349 5156ab0-5156ada 3330->3349 3350 5156969-5156a69 3330->3350 3331->3330 3356 5156574-5156583 3343->3356 3357 515663c 3343->3357 3370 5156ae0-5156b53 3349->3370 3371 5156b9a-5156bae 3349->3371 3350->3349 3367 515663e 3356->3367 3368 5156589-51565bc 3356->3368 3357->3312 3400 5156643-515668b 3367->3400 3461 5156603-515660c 3368->3461 3462 51565be-51565f8 3368->3462 3370->3371 3384 5156bb4-5156c44 3371->3384 3385 5156c8b-5156c9f 3371->3385 3384->3385 3389 5156de5-5156df9 3385->3389 3390 5156ca5-5156d9e 3385->3390 3404 515705c-5157070 3389->3404 3405 5156dff-5156e4f 3389->3405 3390->3389 3400->3312 3413 5157076-5157111 call 5154278 * 2 3404->3413 3414 5157158-515715f 3404->3414 3525 5156e51-5156e77 3405->3525 3526 5156ebd-5156ee8 3405->3526 3413->3414 3442 51564e5 3429->3442 3443 5156402-5156411 3429->3443 3442->3305 3458 51564e7 3443->3458 3459 5156417-51564b5 3443->3459 3487 51564ec-5156534 3458->3487 3459->3487 3598 51564b7 3459->3598 3461->3400 3478 515660e 3461->3478 3462->3461 3478->3343 3487->3305 3601 5156e79-5156e99 3525->3601 3602 5156eb8 3525->3602 3594 5156fc6-5157057 3526->3594 3595 5156eee-5156fc1 3526->3595 3594->3404 3595->3404 3598->3429 3604 515536d 3599->3604 3600->3604 3601->3602 3602->3404 3604->3224
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-3491856805
                                    • Opcode ID: 2c012ce08219601548ee84e804b6378c2c524313c7079c0c1cec75175efd090e
                                    • Instruction ID: 97e8e49075d1f7bedded5a1ef6d3b598369db94f542eed0cf586d4a1e50ef0f6
                                    • Opcode Fuzzy Hash: 2c012ce08219601548ee84e804b6378c2c524313c7079c0c1cec75175efd090e
                                    • Instruction Fuzzy Hash: 17F23874A0122CCFDB25EF34D9A4BA9B7B2BB48308F4040EAD91967398DB755E85CF50
                                    Function 05154936 Relevance: 9.0, Strings: 6, Instructions: 1456COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3663 5154936-5154983 3670 5154985-515498b call 5154210 3663->3670 3671 51549d6-51549ea 3663->3671 3677 5154990-515499b 3670->3677 3673 5154a32-5154a46 3671->3673 3674 51549ec-51549f7 3671->3674 3675 5154b94-5154ba8 3673->3675 3676 5154a4c-5154b59 3673->3676 3674->3673 3678 5154cd4-5154ce8 3675->3678 3679 5154bae-5154bc2 3675->3679 3676->3675 3677->3671 3682 5154f74-5154f88 3678->3682 3683 5154cee-5154f2d 3678->3683 3685 5154bc4-5154bcb 3679->3685 3686 5154bd0-5154be4 3679->3686 3689 5154fe2-5154ff6 3682->3689 3690 5154f8a-5154f9b 3682->3690 3683->3682 3691 5154c48-5154c5c 3685->3691 3687 5154be6-5154bed 3686->3687 3688 5154bef-5154c03 3686->3688 3687->3691 3694 5154c05-5154c0c 3688->3694 3695 5154c0e-5154c22 3688->3695 3698 5155045-5155059 3689->3698 3699 5154ff8-5154ffe 3689->3699 3690->3689 3692 5154c76-5154c82 3691->3692 3693 5154c5e-5154c74 3691->3693 3705 5154c8d 3692->3705 3693->3705 3694->3691 3702 5154c24-5154c2b 3695->3702 3703 5154c2d-5154c41 3695->3703 3700 51550a2-51550b6 3698->3700 3701 515505b 3698->3701 3699->3698 3706 515512d-5155141 3700->3706 3707 51550b8-51550e1 3700->3707 3701->3700 3702->3691 3703->3691 3710 5154c43-5154c45 3703->3710 3705->3678 3713 51553b4-51553c8 3706->3713 3714 5155147-5155363 3706->3714 3707->3706 3710->3691 3716 515549e-51554b2 3713->3716 3717 51553ce-5155457 3713->3717 4078 5155365 3714->4078 4079 5155367 3714->4079 3721 515566f-5155683 3716->3721 3722 51554b8-5155628 3716->3722 3717->3716 3727 51557e6-51557fa 3721->3727 3728 5155689-515579f 3721->3728 3722->3721 3731 5155800-5155916 3727->3731 3732 515595d-5155971 3727->3732 3728->3727 3731->3732 3736 5155ad4-5155ae8 3732->3736 3737 5155977-5155a8d 3732->3737 3743 5155aee-5155c04 3736->3743 3744 5155c4b-5155c5f 3736->3744 3737->3736 3743->3744 3747 5155c65-5155d7b 3744->3747 3748 5155dc2-5155dd6 3744->3748 3747->3748 3754 5155ddc-5155ef2 3748->3754 3755 5155f39-5155f4d 3748->3755 3754->3755 3764 51560b0-51560c4 3755->3764 3765 5155f53-5156069 3755->3765 3772 5156227-515623b 3764->3772 3773 51560ca-51561e0 3764->3773 3765->3764 3780 5156241-5156357 3772->3780 3781 515639e-51563b2 3772->3781 3773->3772 3780->3781 3788 5156536-515654a 3781->3788 3789 51563b8-51563fd call 5154278 3781->3789 3793 5156550-515656f 3788->3793 3794 515668d-51566a1 3788->3794 3908 51564bd-51564df 3789->3908 3823 5156614-5156636 3793->3823 3804 51566a7-51567a7 3794->3804 3805 51567ee-5156802 3794->3805 3804->3805 3811 515694f-5156963 3805->3811 3812 5156808-5156908 3805->3812 3829 5156ab0-5156ada 3811->3829 3830 5156969-5156a69 3811->3830 3812->3811 3836 5156574-5156583 3823->3836 3837 515663c 3823->3837 3849 5156ae0-5156b53 3829->3849 3850 5156b9a-5156bae 3829->3850 3830->3829 3846 515663e 3836->3846 3847 5156589-51565bc 3836->3847 3837->3794 3879 5156643-515668b 3846->3879 3940 5156603-515660c 3847->3940 3941 51565be-51565f8 3847->3941 3849->3850 3863 5156bb4-5156c44 3850->3863 3864 5156c8b-5156c9f 3850->3864 3863->3864 3868 5156de5-5156df9 3864->3868 3869 5156ca5-5156d9e 3864->3869 3883 515705c-5157070 3868->3883 3884 5156dff-5156e4f 3868->3884 3869->3868 3879->3794 3892 5157076-5157111 call 5154278 * 2 3883->3892 3893 5157158-515715f 3883->3893 4004 5156e51-5156e77 3884->4004 4005 5156ebd-5156ee8 3884->4005 3892->3893 3921 51564e5 3908->3921 3922 5156402-5156411 3908->3922 3921->3788 3937 51564e7 3922->3937 3938 5156417-51564b5 3922->3938 3966 51564ec-5156534 3937->3966 3938->3966 4077 51564b7 3938->4077 3940->3879 3957 515660e 3940->3957 3941->3940 3957->3823 3966->3788 4080 5156e79-5156e99 4004->4080 4081 5156eb8 4004->4081 4073 5156fc6-5157057 4005->4073 4074 5156eee-5156fc1 4005->4074 4073->3883 4074->3883 4077->3908 4083 515536d 4078->4083 4079->4083 4080->4081 4081->3883 4083->3713
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-3491856805
                                    • Opcode ID: 81f03355fd48a31ab08684f812fbbca85646a8cf7cf80cef99a26b4a92ef9441
                                    • Instruction ID: e4d6e9bd69fe74ecc205095957e590e4852a511a0e347cac7ba000637257b89f
                                    • Opcode Fuzzy Hash: 81f03355fd48a31ab08684f812fbbca85646a8cf7cf80cef99a26b4a92ef9441
                                    • Instruction Fuzzy Hash: C8F23974A0122CCFDB25EF34D9A4BA9B7B2BB48308F4041EAD91967398DB715E85CF50
                                    Function 052C2487 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052C2507
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: AdjustPrivilegesToken
                                    • String ID:
                                    • API String ID: 2874748243-0
                                    • Opcode ID: 99646e5d0b48a6944c789119b957e4e734f82ac9583f6e756cebf955344106d2
                                    • Instruction ID: 6b29c16ea3ba32595e0b20359bac1149da2e15ba1a8eaef115d3d551464a8c16
                                    • Opcode Fuzzy Hash: 99646e5d0b48a6944c789119b957e4e734f82ac9583f6e756cebf955344106d2
                                    • Instruction Fuzzy Hash: 1E219F765097809FDB228F25DC45B62BFB4EF06210F0885DAE9898B163D275E908DB62
                                    Function 052C24BE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052C2507
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: AdjustPrivilegesToken
                                    • String ID:
                                    • API String ID: 2874748243-0
                                    • Opcode ID: 5639e6e861f3921e30c412f0ba4a13cd0963b68efc2ba262135f153fc14ad8e9
                                    • Instruction ID: 9d68ba5c438bef18f630c9ca1def023ea4a3103d4856479bf83cc51372ef9a77
                                    • Opcode Fuzzy Hash: 5639e6e861f3921e30c412f0ba4a13cd0963b68efc2ba262135f153fc14ad8e9
                                    • Instruction Fuzzy Hash: C2119E76500200DFDB20CF15D844B62FBE5EF04220F08C5AEED8A8B662D775E418CB62
                                    Function 051575C9 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: 947f4f51c3cb07aab98327c590d76ca405cf069e0cd5bb974d65c65d21c71ef2
                                    • Instruction ID: 9456d987c9dd7899448c80b275f33062bf09316ce450ba6357966211f0d1846d
                                    • Opcode Fuzzy Hash: 947f4f51c3cb07aab98327c590d76ca405cf069e0cd5bb974d65c65d21c71ef2
                                    • Instruction Fuzzy Hash: 04C26C34B0816ADFDB299F35D831B797BB2BB48304F1140AB9969933A8CB758D45DF20
                                    Function 05157644 Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: b18d9536bb4a851e12ecfc884622dda6a37728d9f230e75770e889e5fb9a0764
                                    • Instruction ID: a4524e2e8ce52f86645c528510f9c1961dd850aee33fdb7706a353ea3368b1b6
                                    • Opcode Fuzzy Hash: b18d9536bb4a851e12ecfc884622dda6a37728d9f230e75770e889e5fb9a0764
                                    • Instruction Fuzzy Hash: 3C92EE34708169DBDF29AF35D831B797BA7BB88308F11407B986A93398CB758D45DB20
                                    Function 0515767E Relevance: 3.6, Strings: 2, Instructions: 1076COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: 84f2dd72cec057a6ee1d589915e4409458165c65acf29ed75c6e1f12877e4710
                                    • Instruction ID: b86d5f415483e93e20aa849f2e525028562e861adb5ccfcd409703fa87513732
                                    • Opcode Fuzzy Hash: 84f2dd72cec057a6ee1d589915e4409458165c65acf29ed75c6e1f12877e4710
                                    • Instruction Fuzzy Hash: 1D92EF34708169DBDF29AF31D831B797BA7BB88308F11407B996A93398CB758D45DB20
                                    Function 051576AD Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: e1b8b8a695c1140a5a5328fd5cc830327deec81648f29609c38d7e80753a8157
                                    • Instruction ID: 0f367f51a1fb924d20c17257d23e6e5b5727816546683e03c5823b883cf9a88c
                                    • Opcode Fuzzy Hash: e1b8b8a695c1140a5a5328fd5cc830327deec81648f29609c38d7e80753a8157
                                    • Instruction Fuzzy Hash: 9292EF34708169DBDF29AF31D831B797BA7BB88308F11407B996A93398CB758D45DB20
                                    Function 052C1F5E Relevance: 1.6, APIs: 1, Instructions: 130registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5691 52c1f5e-52c2016 5695 52c2018 5691->5695 5696 52c201b-52c2027 5691->5696 5695->5696 5697 52c202c-52c2035 5696->5697 5698 52c2029 5696->5698 5699 52c203a-52c2051 5697->5699 5700 52c2037 5697->5700 5698->5697 5702 52c2093-52c2098 5699->5702 5703 52c2053-52c2066 RegCreateKeyExW 5699->5703 5700->5699 5702->5703 5704 52c2068-52c2090 5703->5704 5705 52c209a-52c209f 5703->5705 5705->5704
                                    APIs
                                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 052C2059
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: ce92c1f931651aebf4408ecd1753c142f4b7662f066affb5e8400e28eb52cf0f
                                    • Instruction ID: eb6a0a91a357967e6e628e1230629b071528e281f4bc0313f47ae8a2debe67f0
                                    • Opcode Fuzzy Hash: ce92c1f931651aebf4408ecd1753c142f4b7662f066affb5e8400e28eb52cf0f
                                    • Instruction Fuzzy Hash: 99414D75149384AFE7238B218C54F62BFB8AF06214F0985DBE9C5CB163D664A809CB71
                                    Function 052C04FF Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5710 52c04ff-52c051f 5711 52c0541-52c0573 5710->5711 5712 52c0521-52c0540 5710->5712 5716 52c0576-52c05ce RegQueryValueExW 5711->5716 5712->5711 5718 52c05d4-52c05ea 5716->5718
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 052C05C6
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 19753479b9b561eada231597a5036daf80bb0bb0851161f44114c7c809791a9c
                                    • Instruction ID: 9560d40a56e7e66934ca109031849cf09644c11750fa6ca2897a581bd0b7615e
                                    • Opcode Fuzzy Hash: 19753479b9b561eada231597a5036daf80bb0bb0851161f44114c7c809791a9c
                                    • Instruction Fuzzy Hash: A5318D6510E3C0AFD3138B218C65A61BFB4EF47610F0E85CBD8848F6A3D2596809D7B2
                                    Function 0118B296 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5719 118b296-118b298 5720 118b29a-118b2a1 5719->5720 5721 118b2a2-118b31d 5719->5721 5720->5721 5725 118b31f 5721->5725 5726 118b322-118b339 5721->5726 5725->5726 5728 118b37b-118b380 5726->5728 5729 118b33b-118b34e RegOpenKeyExW 5726->5729 5728->5729 5730 118b350-118b378 5729->5730 5731 118b382-118b387 5729->5731 5731->5730
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0118B341
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: eb958d9ee1970e6760aa7953d5b82075fb13d41051d60eb5320156b7b1f67263
                                    • Instruction ID: a6905052f4b5515c0a580827bdd6960b1822625c3c060974d29240d8ce3b2c52
                                    • Opcode Fuzzy Hash: eb958d9ee1970e6760aa7953d5b82075fb13d41051d60eb5320156b7b1f67263
                                    • Instruction Fuzzy Hash: EE31847240D3846FE7228B65CC45FA6FFB8EF06214F0885ABE9849B153D364A509CB75
                                    Function 052C11EC Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5736 52c11ec-52c12ab 5742 52c12fd-52c1302 5736->5742 5743 52c12ad-52c12b5 getaddrinfo 5736->5743 5742->5743 5745 52c12bb-52c12cd 5743->5745 5746 52c12cf-52c12fa 5745->5746 5747 52c1304-52c1309 5745->5747 5747->5746
                                    APIs
                                    • getaddrinfo.WS2_32(?,00000E24), ref: 052C12B3
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: getaddrinfo
                                    • String ID:
                                    • API String ID: 300660673-0
                                    • Opcode ID: c08ec894c1fe951505cbebf686a4decde6c9f061fb57eb168a56406f59c33265
                                    • Instruction ID: 55d6c549fa17adf4026f469731c20a6b30feabda1a36062ff5537534a65bf135
                                    • Opcode Fuzzy Hash: c08ec894c1fe951505cbebf686a4decde6c9f061fb57eb168a56406f59c33265
                                    • Instruction Fuzzy Hash: 0731A4B2544344AFE721CB50CC85FA7FBACEF04314F0445AAFA489B192D375A949CB71
                                    Function 0118AB25 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5751 118ab25-118abae 5755 118abb0 5751->5755 5756 118abb3-118abbf 5751->5756 5755->5756 5757 118abc1 5756->5757 5758 118abc4-118abcd 5756->5758 5757->5758 5759 118ac1e-118ac23 5758->5759 5760 118abcf-118abf3 CreateFileW 5758->5760 5759->5760 5763 118ac25-118ac2a 5760->5763 5764 118abf5-118ac1b 5760->5764 5763->5764
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0118ABD5
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 1bea77c62e91648c87b81c1e9e1a0acc48724d5bea6e4d76a2428a57c709debe
                                    • Instruction ID: c725792a78e08eb2b0e0cda3782d696aaaaa630c92576201da664c29438d2d9b
                                    • Opcode Fuzzy Hash: 1bea77c62e91648c87b81c1e9e1a0acc48724d5bea6e4d76a2428a57c709debe
                                    • Instruction Fuzzy Hash: 41318371509384AFE721CF65DC85F66FFF8EF05210F0988AEE9858B252D365E809CB61
                                    Function 052C10E4 Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessTimes.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C1181
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ProcessTimes
                                    • String ID:
                                    • API String ID: 1995159646-0
                                    • Opcode ID: d25231b5b147d2cb651b38e4f85f7394df86824bc493d8a87ac1958695756761
                                    • Instruction ID: 5d7f88a1c0e5d6ccb032973f9daeb1729f8b0d319f47f6bbec551aecbfef7dbf
                                    • Opcode Fuzzy Hash: d25231b5b147d2cb651b38e4f85f7394df86824bc493d8a87ac1958695756761
                                    • Instruction Fuzzy Hash: 2231C5B25097806FE7128F50DC45F66BFB8EF06324F0985DAE9848F193D264A909CB71
                                    Function 052C09E0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 052C0A77
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: DescriptorSecurity$ConvertString
                                    • String ID:
                                    • API String ID: 3907675253-0
                                    • Opcode ID: ad305ff94acb5b50bb931193e9aa7f494cf506a73a36bfd57de4269584a4de52
                                    • Instruction ID: fd270d7a0e85ccd54b38ee73a418be92b41ef03f68ca3a441a69f7e17bb85fc7
                                    • Opcode Fuzzy Hash: ad305ff94acb5b50bb931193e9aa7f494cf506a73a36bfd57de4269584a4de52
                                    • Instruction Fuzzy Hash: 66318172509385AFE721CB64DC45F67BFA8EF05214F0984AAE944CB252D364A909CB61
                                    Function 0118B389 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5783 118b389-118b407 5786 118b409 5783->5786 5787 118b40c-118b415 5783->5787 5786->5787 5788 118b41a-118b420 5787->5788 5789 118b417 5787->5789 5790 118b422 5788->5790 5791 118b425-118b43c 5788->5791 5789->5788 5790->5791 5793 118b43e-118b451 RegQueryValueExW 5791->5793 5794 118b473-118b478 5791->5794 5795 118b47a-118b47f 5793->5795 5796 118b453-118b470 5793->5796 5794->5793 5795->5796
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118B444
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: c57b4cbecd0a51774b6496a3989de683584a5e6387a5064489892dd25d1c1990
                                    • Instruction ID: 945426c4057f63ee58718f7bc073eff2f066310d6594793162df5f8a5a5d8bd4
                                    • Opcode Fuzzy Hash: c57b4cbecd0a51774b6496a3989de683584a5e6387a5064489892dd25d1c1990
                                    • Instruction Fuzzy Hash: E231B176509384AFE722CF25CC45F62BFB8EF06210F08849AE985CB193D364E949CB75
                                    Function 0118B0E6 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5767 118b0e6-118b169 5771 118b16b 5767->5771 5772 118b16e-118b177 5767->5772 5771->5772 5773 118b179 5772->5773 5774 118b17c-118b185 5772->5774 5773->5774 5775 118b1d6-118b1db 5774->5775 5776 118b187-118b1ab CreateMutexW 5774->5776 5775->5776 5779 118b1dd-118b1e2 5776->5779 5780 118b1ad-118b1d3 5776->5780 5779->5780
                                    APIs
                                    • CreateMutexW.KERNELBASE(?,?), ref: 0118B18D
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: aec5dad3fd4c17efda17b62fa8f517559d807e6368a0a4edefd1af76167d4d0e
                                    • Instruction ID: d69cd7e063c7b936e02ec9240e3217dfcccbedfd692918d655750d5ab98a2090
                                    • Opcode Fuzzy Hash: aec5dad3fd4c17efda17b62fa8f517559d807e6368a0a4edefd1af76167d4d0e
                                    • Instruction Fuzzy Hash: E631B5715093845FE711CB25DC45B56FFF8EF06210F08849AE984CF293D364E809CB65
                                    Function 052C1FBE Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 052C2059
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 9f171e630052ab3aeeb4909492ac08549ca52d0a92f4166f4f86a34b35b527d0
                                    • Instruction ID: 47608fa01dfde4ace6ac32dfba6645b1e53c35d2786004f7a081dc491445831f
                                    • Opcode Fuzzy Hash: 9f171e630052ab3aeeb4909492ac08549ca52d0a92f4166f4f86a34b35b527d0
                                    • Instruction Fuzzy Hash: B8219E76504208AFEB21DB25CC40F67FBECEF18214F04896AEA8AC6252D770E408CA61
                                    Function 05158BF0 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: be8dfe5401066b16afb75517f028067724b07f7321f1944b752ff9aaebf8c342
                                    • Instruction ID: 99986f3b8b8eae1f73269ac5634a7f0d761d475235a8143ae38b3f199a4a91b7
                                    • Opcode Fuzzy Hash: be8dfe5401066b16afb75517f028067724b07f7321f1944b752ff9aaebf8c342
                                    • Instruction Fuzzy Hash: CBD18131A0020DEFCB19EF75E4649AD77B2BF88358B51853AE81697768DF35AC02CB50
                                    Function 0118A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0118A77E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: Clipboard
                                    • String ID:
                                    • API String ID: 220874293-0
                                    • Opcode ID: 2bb5dbb70e108571d0078a0828232fab6ed46b66ce8da362e1a203ed333bc2eb
                                    • Instruction ID: 49e561e1f15ffe253f34a0f8e36c05c217779339483ea2b9bfef15ad0c0f5bd8
                                    • Opcode Fuzzy Hash: 2bb5dbb70e108571d0078a0828232fab6ed46b66ce8da362e1a203ed333bc2eb
                                    • Instruction Fuzzy Hash: 0431717504D3C06FD3138B259C61B61BFB4EF47610F0A80DBD884CB5A3D2656919D7B2
                                    Function 052C120E Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    • getaddrinfo.WS2_32(?,00000E24), ref: 052C12B3
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: getaddrinfo
                                    • String ID:
                                    • API String ID: 300660673-0
                                    • Opcode ID: 357e07a892f54991e65b5b5ae8305008d52cfb1c1c566d96f42241b6289a75b3
                                    • Instruction ID: dfbcb194c5e450f392321ca1913caa8d7972a6b64694113bc3bc46088618bc69
                                    • Opcode Fuzzy Hash: 357e07a892f54991e65b5b5ae8305008d52cfb1c1c566d96f42241b6289a75b3
                                    • Instruction Fuzzy Hash: 6521D372544208AEF720DF10CC85FB6FBACEF04314F0489AAFA499A182D3B5A548CB71
                                    Function 0118B578 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 0118B621
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: MessageSendTimeout
                                    • String ID:
                                    • API String ID: 1599653421-0
                                    • Opcode ID: b7b70cff22f3160ac707003a08b396059d566492a4edf384613a675f4e2448ce
                                    • Instruction ID: cf6dd71ab2e660f786d09b8b266cf17bce24779707dc1bc08946ee582437dc61
                                    • Opcode Fuzzy Hash: b7b70cff22f3160ac707003a08b396059d566492a4edf384613a675f4e2448ce
                                    • Instruction Fuzzy Hash: E921D672509384AFE7228F51DC45FA2FFB8EF46314F18849AFA844F162D375A409CB65
                                    Function 052C2231 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: select
                                    • String ID:
                                    • API String ID: 1274211008-0
                                    • Opcode ID: d4bc8607da3a0fcbca0da0a5257372861cdac6b79488b23c5beefe1d9907ff91
                                    • Instruction ID: 46ff7abdec1005a3ddad28117e58236f7057b5d90d6e2197a7fd7531c5d77d52
                                    • Opcode Fuzzy Hash: d4bc8607da3a0fcbca0da0a5257372861cdac6b79488b23c5beefe1d9907ff91
                                    • Instruction Fuzzy Hash: 132159755093809FDB22CF25DC44A62BFF8EF06210F0985DAE989CB163D265A909DB62
                                    Function 052C2609 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetExitCodeProcess.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C2690
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: CodeExitProcess
                                    • String ID:
                                    • API String ID: 3861947596-0
                                    • Opcode ID: 45ab3251a0d19d2a722fdcb0deec8569208189a6223aa8773c2c30fe9881b5b1
                                    • Instruction ID: b0a7215dc14768e060fa7f0277609092e1c7edc7e6ea6350697f70fac660d800
                                    • Opcode Fuzzy Hash: 45ab3251a0d19d2a722fdcb0deec8569208189a6223aa8773c2c30fe9881b5b1
                                    • Instruction Fuzzy Hash: 6721A4765093846FE712CB15DC45FA6BFA8EF06224F1984EAE984CF193D264A908C771
                                    Function 0118AF27 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118AFBD
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 11cc0595cb7d23949dc7ef9e5021703e61df385e9c8f83669cef32ccf4b56851
                                    • Instruction ID: d1d1d509829a41bc15e5183f7e32e7c784f6d2bd46a4f873f13e02a2277070f1
                                    • Opcode Fuzzy Hash: 11cc0595cb7d23949dc7ef9e5021703e61df385e9c8f83669cef32ccf4b56851
                                    • Instruction Fuzzy Hash: C621A3B6409384AFD722CB51DC44F66FFB8EF06314F19849AE9848F163D364A509CB72
                                    Function 052C0B96 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: FileView
                                    • String ID:
                                    • API String ID: 3314676101-0
                                    • Opcode ID: 8d9aa4dedd782c9f913bdebb7bd76ae0f3bf6d76348adccba1500fc06c5e3e0a
                                    • Instruction ID: a2f3f4f2e82262b66177e3ee9f6c08b9c98e35720253b0921e533efb519ff150
                                    • Opcode Fuzzy Hash: 8d9aa4dedd782c9f913bdebb7bd76ae0f3bf6d76348adccba1500fc06c5e3e0a
                                    • Instruction Fuzzy Hash: F421A372409384AFE722CF55CC45F66FFF8EF09224F04859EE9858B152D365A508CB62
                                    Function 052C05F2 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 052C067E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: Socket
                                    • String ID:
                                    • API String ID: 38366605-0
                                    • Opcode ID: 89c045f31f9f14856e14e8605c36055382807d7a55d135ca94f73d032736537b
                                    • Instruction ID: cf9c8031afeb84199b0d516078e826748592dd8677e14998bb31a9095e4b02b9
                                    • Opcode Fuzzy Hash: 89c045f31f9f14856e14e8605c36055382807d7a55d135ca94f73d032736537b
                                    • Instruction Fuzzy Hash: D9218071509784AFE721CF51DC45F66FFF8EF05214F0888AEE9858B652D375A408CB62
                                    Function 0118B49A Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegSetValueExW.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118B530
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: Value
                                    • String ID:
                                    • API String ID: 3702945584-0
                                    • Opcode ID: b7fde33a9603dfd24a1fefd297e5e47599e78dc8972849cdf8b413d83da7e6a0
                                    • Instruction ID: 84720a5555e6e7826c4623b5525de756b4778b8b669a9f132ace82754e21efce
                                    • Opcode Fuzzy Hash: b7fde33a9603dfd24a1fefd297e5e47599e78dc8972849cdf8b413d83da7e6a0
                                    • Instruction Fuzzy Hash: FF2190B65097846FE7228F15DC44F63FFB8EF46220F08849AE9858B252D364E909CB75
                                    Function 052C0A06 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                    Download Yara Rule
                                    APIs
                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 052C0A77
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: DescriptorSecurity$ConvertString
                                    • String ID:
                                    • API String ID: 3907675253-0
                                    • Opcode ID: 71968e03f0a88128006d114885bcf84fea81e9a74a82cc11f613eac60932f5cc
                                    • Instruction ID: 9dba4aef3b88f92974a14a04481f6c72b6288b154a74502a977761b927bdf317
                                    • Opcode Fuzzy Hash: 71968e03f0a88128006d114885bcf84fea81e9a74a82cc11f613eac60932f5cc
                                    • Instruction Fuzzy Hash: 2221CF72505205AFEB20DB25DC45F6BFBECEF04214F0884AAEE44CB252D374E508CA72
                                    Function 052C08EE Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C098C
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 0ac27ac86a93bba7ad486f179c23ea1c55cfdcab991a49bf309a4274f63dca8b
                                    • Instruction ID: f540b657f545924d41bf75e55533ecaa82fb9acee23fa688df2b7536edf18238
                                    • Opcode Fuzzy Hash: 0ac27ac86a93bba7ad486f179c23ea1c55cfdcab991a49bf309a4274f63dca8b
                                    • Instruction Fuzzy Hash: 29219172509784AFE722CB51CC84F66FFF8EF45610F08859AE9859B192D364E908CB71
                                    Function 0118A9BF Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,?), ref: 0118AA4A
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: 8e9b19bd2979f2a750c64f952cc7a01c17c1d338f44a6d089351738b73e6cd9f
                                    • Instruction ID: 833201bc42071b6aa60a2e5617a35287ceec3707a1652b0df287af1271083023
                                    • Opcode Fuzzy Hash: 8e9b19bd2979f2a750c64f952cc7a01c17c1d338f44a6d089351738b73e6cd9f
                                    • Instruction Fuzzy Hash: 0531377540E7C09FD7138B64DC55A52BFB4EF07220B0A84EBD9848F5A3D2689849CB72
                                    Function 0118AB56 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0118ABD5
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 21ce8d06c33836c57cea9ded4857f8871a12aa1ff8e1a63d9934ef50e1dc971b
                                    • Instruction ID: bc7d267bbc7665c1c77c0b22a13338cfbbb8e6519aa9647222176579e0e9ecfd
                                    • Opcode Fuzzy Hash: 21ce8d06c33836c57cea9ded4857f8871a12aa1ff8e1a63d9934ef50e1dc971b
                                    • Instruction Fuzzy Hash: 6C21B071504244AFE725DF65DD85F66FBE8EF08220F08C86AEA458B651D375E404CF72
                                    Function 0118B2C2 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0118B341
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: 6d864e237da8292fd2b660270de378c3e3b44f597d087af9dd4ce846a9edceea
                                    • Instruction ID: 5eb12bc0d777c18f17ff299aa075bfd19aef9b4d7397d4e0cd9dc72276b9a981
                                    • Opcode Fuzzy Hash: 6d864e237da8292fd2b660270de378c3e3b44f597d087af9dd4ce846a9edceea
                                    • Instruction Fuzzy Hash: 7421A172508204AEE7219F15DC84F7BFBECEF08224F04846AEE459B252D374E5088EB6
                                    Function 052C26F3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C276F
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: 2b386afb938d2756b6194e94bd8757cf0ee11f406d51d1b5e93deb0c70fc68a6
                                    • Instruction ID: de9475db4686f06ec8cd9dd28c5e292b0cd6757ff6096da122888248c0757cb4
                                    • Opcode Fuzzy Hash: 2b386afb938d2756b6194e94bd8757cf0ee11f406d51d1b5e93deb0c70fc68a6
                                    • Instruction Fuzzy Hash: BD21A4765093846FD722CB11DC85F66FFB8EF45220F08C4AAED84CB152D364A908CB76
                                    Function 052C27D7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C2853
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: 2b386afb938d2756b6194e94bd8757cf0ee11f406d51d1b5e93deb0c70fc68a6
                                    • Instruction ID: 95699dde84ea6f9d3d57d8ade2aaf8ac5b54052d083e1d25320f2a0f34852c96
                                    • Opcode Fuzzy Hash: 2b386afb938d2756b6194e94bd8757cf0ee11f406d51d1b5e93deb0c70fc68a6
                                    • Instruction Fuzzy Hash: 3521A4765093846FD722CB11DC49F66FFA8EF45220F08C5AAE984DB192D364A908CB76
                                    Function 0118ACE7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118AD6D
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 6077725a5d8a4d4e5caf9f419b78184b05f0a9104ac4967f31e6b9c0e1923f00
                                    • Instruction ID: 2e990f9c7bc2a0f9c82d40ed9cf334b84c8a0f2d339c7acf9917111034f1e69b
                                    • Opcode Fuzzy Hash: 6077725a5d8a4d4e5caf9f419b78184b05f0a9104ac4967f31e6b9c0e1923f00
                                    • Instruction Fuzzy Hash: E121C3B64093846FE7128B11DC44BA6BFA8DF46324F0980DBE9848B193D264A909CB72
                                    Function 052C0E2D Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • shutdown.WS2_32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C0EB0
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: shutdown
                                    • String ID:
                                    • API String ID: 2510479042-0
                                    • Opcode ID: 1da96d6540d4cdcb3fd760d7f2d008f8a6ecf4c682ae54c4bc8c45356661a3e3
                                    • Instruction ID: 7a083346ef22c4cbb223e64cad679b021e2aeeea65d41cd5260475a22173432a
                                    • Opcode Fuzzy Hash: 1da96d6540d4cdcb3fd760d7f2d008f8a6ecf4c682ae54c4bc8c45356661a3e3
                                    • Instruction Fuzzy Hash: 052192B1449384AFD712CB10DC45F66FFB8EF46220F0885EAE9849F152C368A948CB72
                                    Function 0118B11A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexW.KERNELBASE(?,?), ref: 0118B18D
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 7a9f627076477f3f27d1390b194c9f940664a0987eb8ed24232324abf6a126a4
                                    • Instruction ID: fa8a2088e12c63a3947ba2a430d37d5ded6039f178a5a5a4d2ac9511de4be34e
                                    • Opcode Fuzzy Hash: 7a9f627076477f3f27d1390b194c9f940664a0987eb8ed24232324abf6a126a4
                                    • Instruction Fuzzy Hash: 61218E71509244AFE724DB25DD85B66FBE8EF04224F08C46AEE448F641D375E804CEA6
                                    Function 0118A140 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: a824ef4d78a18f306e18bd68104e2fa0a14933005443fd07afdcdf8c54311835
                                    • Instruction ID: fdab531f1713c71b43fd9afb7fd42930f5ed19f2a3375a4ba83cafa056c85982
                                    • Opcode Fuzzy Hash: a824ef4d78a18f306e18bd68104e2fa0a14933005443fd07afdcdf8c54311835
                                    • Instruction Fuzzy Hash: 4F21AC7640D3C09FDB238B25DC54A52FFB4EF47220F0984DBD9848F5A3C269A819CB62
                                    Function 052C216B Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • ioctlsocket.WS2_32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C21E7
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ioctlsocket
                                    • String ID:
                                    • API String ID: 3577187118-0
                                    • Opcode ID: 8d713334daedcf585e9b52de95d851d8946c040815fe9fbbcdfd57b29677cba6
                                    • Instruction ID: 3ccafdc1ac56cc13ba13182295e0a82fe5fa29930f2c70c1d0d986779d2be518
                                    • Opcode Fuzzy Hash: 8d713334daedcf585e9b52de95d851d8946c040815fe9fbbcdfd57b29677cba6
                                    • Instruction Fuzzy Hash: 9921C376409384AFD722CF50DC44F66FFB8EF45220F0884AAE9859B152D374A508CBB2
                                    Function 0118B3CA Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118B444
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: 65445f8038263c2def85e1a0256730eebdb9b497c0147b3a7cb1c0296556d81c
                                    • Instruction ID: 985dbb398225eb68d348f6d336fcb6e83c4843893ebf4160610be19449a6eeb0
                                    • Opcode Fuzzy Hash: 65445f8038263c2def85e1a0256730eebdb9b497c0147b3a7cb1c0296556d81c
                                    • Instruction Fuzzy Hash: A421AE76604204AFE721DF19DC81F62F7ECEF04610F08C06AEE468B291D364E848CAB6
                                    Function 052C0612 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 052C067E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: Socket
                                    • String ID:
                                    • API String ID: 38366605-0
                                    • Opcode ID: f14c977d84ac79df4f99f1f1aa2d75ed44dca7d16c18929095bd2f435fdc61e0
                                    • Instruction ID: 0464e1ed0a6c5e5807b1859baf62a6118d80056981a1937a25944a9d3dce4d7c
                                    • Opcode Fuzzy Hash: f14c977d84ac79df4f99f1f1aa2d75ed44dca7d16c18929095bd2f435fdc61e0
                                    • Instruction Fuzzy Hash: D0210171404240AFEB20CF15CC45F6AFBE4EF04324F1488AEEE858B252C372A408CB72
                                    Function 052C13BE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 052C143A
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: Connect
                                    • String ID:
                                    • API String ID: 3144859779-0
                                    • Opcode ID: eace728f27cb37398172ef92f406582f2882d248e9c774483185a780bab1ff47
                                    • Instruction ID: 681ce6be217966aa4300bd07bfd8653207670910602c20a21362500d1e92b522
                                    • Opcode Fuzzy Hash: eace728f27cb37398172ef92f406582f2882d248e9c774483185a780bab1ff47
                                    • Instruction Fuzzy Hash: 14216F75409380AFDB228F55DC45B62FFF4EF06210F0885DAE9858B163D375A819DB62
                                    Function 052C0BB6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: FileView
                                    • String ID:
                                    • API String ID: 3314676101-0
                                    • Opcode ID: 30a7e16d667284c9bad1e837eb74018adf53a025956dd8bcd155b67901ef7be9
                                    • Instruction ID: 20b90bcae1533616c0108720d29f2b4f81923e974cf93dc47a65cee10885e909
                                    • Opcode Fuzzy Hash: 30a7e16d667284c9bad1e837eb74018adf53a025956dd8bcd155b67901ef7be9
                                    • Instruction Fuzzy Hash: 8D21F372404204AFE721CF15DC85F6AFBE8EF08724F0484ADEA898B251D375E508CBB2
                                    Function 052C167A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 052C1703
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 8664b91117267a012c4b05dc31483d9489dd6a97b4403f0f2620062f660a7d3d
                                    • Instruction ID: e87de0b6899bbee69e50ec07e3c0663e0d9deff497595b8a99f43f68fb57a065
                                    • Opcode Fuzzy Hash: 8664b91117267a012c4b05dc31483d9489dd6a97b4403f0f2620062f660a7d3d
                                    • Instruction Fuzzy Hash: BE11E4714493446FE721CB11CC85FB2FFA8EF05320F04809AF9484B192C364A948CB62
                                    Function 0118B5A6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 0118B621
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: MessageSendTimeout
                                    • String ID:
                                    • API String ID: 1599653421-0
                                    • Opcode ID: d6d3bd58f6d1ebf1cd7a9064330b8595babcc1f4ff46812f635c082176f19e3b
                                    • Instruction ID: 1c4a0d74d55be7ab92e72ecc6b10af411beaa0deeb9b3ac93dcac072d9f11115
                                    • Opcode Fuzzy Hash: d6d3bd58f6d1ebf1cd7a9064330b8595babcc1f4ff46812f635c082176f19e3b
                                    • Instruction Fuzzy Hash: 9721AF72504604AFEB319F11DC41F66FBA8EF04714F18C46AFE454A691D375A418CFB6
                                    Function 052C091A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C098C
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: bfd6481ecbc22b7f8a701059fa70861119b42e0249f758a060e51e4c099d5d13
                                    • Instruction ID: 10bce2530e8818276d5e65e65438c3f2e30500e01143f74b930ad752c20f7f2c
                                    • Opcode Fuzzy Hash: bfd6481ecbc22b7f8a701059fa70861119b42e0249f758a060e51e4c099d5d13
                                    • Instruction Fuzzy Hash: A011B172504604EFE721CF11DC89F67FBE8EF04620F0485AAEA458B252D374E404CAB2
                                    Function 0118B4BE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegSetValueExW.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118B530
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: Value
                                    • String ID:
                                    • API String ID: 3702945584-0
                                    • Opcode ID: 0cd2c81aaf6f83a226292869785ddacac032fc8cf14b1fb8b2749ccf21e1c723
                                    • Instruction ID: 818a959e1935c10792d1640698fcdbd8370e1a762d839bd429f8e15aba299c69
                                    • Opcode Fuzzy Hash: 0cd2c81aaf6f83a226292869785ddacac032fc8cf14b1fb8b2749ccf21e1c723
                                    • Instruction Fuzzy Hash: 2C11BEB6504604AFE7219F15DC80F67FBE8EF04720F08C46AEE458A252D370E5048AB6
                                    Function 052C1122 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessTimes.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C1181
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ProcessTimes
                                    • String ID:
                                    • API String ID: 1995159646-0
                                    • Opcode ID: a8c44cb49d6d552b46676d4265c17611008ae4662d553c8889d5c201ea0b2818
                                    • Instruction ID: 2404c394d029f286ad4fa93ce974e40007865156c2712c1cb6528f1f5c6fde79
                                    • Opcode Fuzzy Hash: a8c44cb49d6d552b46676d4265c17611008ae4662d553c8889d5c201ea0b2818
                                    • Instruction Fuzzy Hash: 28119072504604AFEB21CF55DC85F66FBE8EF04224F04C5AAEE458B252D3B4A554CBB2
                                    Function 052C2716 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C276F
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: 27daf56fb9f83ab44c9022c2b9fbd3cc0a745a12adcb6d358cb8b5c7ede7ccdb
                                    • Instruction ID: a021db3505944da1bed06a0194444162dcae3e9b70775a6d7fb3b1238bccc3aa
                                    • Opcode Fuzzy Hash: 27daf56fb9f83ab44c9022c2b9fbd3cc0a745a12adcb6d358cb8b5c7ede7ccdb
                                    • Instruction Fuzzy Hash: D81194765042449FEB21CF15DC85F76FBA8EF04224F04C5AAEE45CB241D774A548CBB5
                                    Function 052C27FA Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C2853
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ProcessSizeWorking
                                    • String ID:
                                    • API String ID: 3584180929-0
                                    • Opcode ID: 27daf56fb9f83ab44c9022c2b9fbd3cc0a745a12adcb6d358cb8b5c7ede7ccdb
                                    • Instruction ID: 67d7cfcbd74b4855fe6327a8fa6021bf9bd859d281b4243e22f627c1d7131d11
                                    • Opcode Fuzzy Hash: 27daf56fb9f83ab44c9022c2b9fbd3cc0a745a12adcb6d358cb8b5c7ede7ccdb
                                    • Instruction Fuzzy Hash: 2E11BF76504204AFEB21CB15DC85B6AFBA8EF04224F04C5AAEE459B241D774A904CBB6
                                    Function 052C263A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetExitCodeProcess.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C2690
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: CodeExitProcess
                                    • String ID:
                                    • API String ID: 3861947596-0
                                    • Opcode ID: 44ba99c114a8cfd012e14f6321485cf5072f5041bf4c9e87f08bb33bfd20a228
                                    • Instruction ID: 3972402ed976690f32b29c758bd0ce9d324e92b0e9fe8811f150f918b2708594
                                    • Opcode Fuzzy Hash: 44ba99c114a8cfd012e14f6321485cf5072f5041bf4c9e87f08bb33bfd20a228
                                    • Instruction Fuzzy Hash: 9D11A375504244AFEB21CB15DC85B76FB98EF04624F14C4AAEE45CB241D7B4A9448BB1
                                    Function 0118A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0118A5DE
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 5b6f58a2287b16da59033a6ad31cfa654ed23de0ba7d18ff60dd668a6dabdd5e
                                    • Instruction ID: eba8afa1eab2a2557f754ff58b862f210b321a7ec0678f94bd5d945228b1d571
                                    • Opcode Fuzzy Hash: 5b6f58a2287b16da59033a6ad31cfa654ed23de0ba7d18ff60dd668a6dabdd5e
                                    • Instruction Fuzzy Hash: 05117272409780AFDB228F55DC44B62FFF4EF4A210F0888DAE9858B563C375A419DB62
                                    Function 0118AA8A Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 0118AAF4
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 48082e445a9a0f4a5d47bc1eb2e1acaf43ed2b90c7eec11d69bd5e733a7b9c2a
                                    • Instruction ID: 0cd1e41b4e50e5163f7b7fbb1c7c24d65d6a7e4fd4a58b50e214534ffe25d0c4
                                    • Opcode Fuzzy Hash: 48082e445a9a0f4a5d47bc1eb2e1acaf43ed2b90c7eec11d69bd5e733a7b9c2a
                                    • Instruction Fuzzy Hash: 15113AB24093C45FDB138B25EC54A61BFB4DF47214F0984DBED848B2A3D2656909DB62
                                    Function 0118AF5E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118AFBD
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: b089ee016956656f69759b546fa91909c92f6bf0763315347b6fba0d2327b751
                                    • Instruction ID: 6c6782cbe4e85ebd810b97a6441f0cb2fa0ecb9f228377cafee2bf94e0615180
                                    • Opcode Fuzzy Hash: b089ee016956656f69759b546fa91909c92f6bf0763315347b6fba0d2327b751
                                    • Instruction Fuzzy Hash: 9511B272404204AFEB219F55DC84F6AFBE8EF04324F14C46AEE458B151D374A4458BB6
                                    Function 052C218E Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • ioctlsocket.WS2_32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C21E7
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ioctlsocket
                                    • String ID:
                                    • API String ID: 3577187118-0
                                    • Opcode ID: cdb15532181190b0a805603fb8a43af9f456b214d4f4348c13ea500bf44f3973
                                    • Instruction ID: aab354c7dfba07c941b86eb6e756b9c40cd302e5563c52f20eb86f9096910d9e
                                    • Opcode Fuzzy Hash: cdb15532181190b0a805603fb8a43af9f456b214d4f4348c13ea500bf44f3973
                                    • Instruction Fuzzy Hash: 0611A376904244AFE721CF55DC85F66FBA8EF04324F04C4AAEE458B242D7B5A5048BB6
                                    Function 052C15C5 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoGetObjectContext.COMBASE(?,?), ref: 052C1637
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ContextObject
                                    • String ID:
                                    • API String ID: 3343934925-0
                                    • Opcode ID: b3613b09c9ba0a2893195c1f0212cfc5d10dc92faf308425da6a6c0fbc80bd85
                                    • Instruction ID: 0c9687f337211dc163b7a26a7b41109100b9d9b21af718f10b9d57a34078910c
                                    • Opcode Fuzzy Hash: b3613b09c9ba0a2893195c1f0212cfc5d10dc92faf308425da6a6c0fbc80bd85
                                    • Instruction Fuzzy Hash: 4E11BE714083809FD7128F25C849A62FFB0EF06220F0981DEDD844F2A3D279A909DB62
                                    Function 052C0E5A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • shutdown.WS2_32(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 052C0EB0
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: shutdown
                                    • String ID:
                                    • API String ID: 2510479042-0
                                    • Opcode ID: 12b1d92370928ed7ae71281391d538dad7bb61fa3f6d7cba466b8e93c8a44290
                                    • Instruction ID: 0db3147f1321b290998b2a46d52001db29a58659c92fbbe2d774a3fb8b39a68e
                                    • Opcode Fuzzy Hash: 12b1d92370928ed7ae71281391d538dad7bb61fa3f6d7cba466b8e93c8a44290
                                    • Instruction Fuzzy Hash: 5811C271544244AFEB21CF15DC85F7AFBA8EF05724F18C4AAEE448B242D3B5A5048AB2
                                    Function 052C169A Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 052C1703
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 7ae28cce8cc6b0f0b74c632e2e45eef6ad0bc2de63006d564e3d22f87f396cc4
                                    • Instruction ID: 7c8bc64f792b5ea88eb2db78dd23fce1c4f5e0ff6f645d0df2492310b35f721c
                                    • Opcode Fuzzy Hash: 7ae28cce8cc6b0f0b74c632e2e45eef6ad0bc2de63006d564e3d22f87f396cc4
                                    • Instruction Fuzzy Hash: 2F11E575554204AEE720CB11DC86FB6FBA8DF04724F14809AFE484A286D3B4A948CAA6
                                    Function 052C226A Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: select
                                    • String ID:
                                    • API String ID: 1274211008-0
                                    • Opcode ID: 2e12bc475724b96f81896612bba2ca8678088522fc18697930d51022d5ed2f62
                                    • Instruction ID: a9fd49c184ac500aa0fa88af9c3ccf27ab7d14f6c176bcd83a284da8115be124
                                    • Opcode Fuzzy Hash: 2e12bc475724b96f81896612bba2ca8678088522fc18697930d51022d5ed2f62
                                    • Instruction Fuzzy Hash: 04114F79514240DFEB20CF55D884F62FBE8FF04610F0885AADD8ACB652D775E448CB62
                                    Function 0118AD1A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNELBASE(?,00000E24,5B627023,00000000,00000000,00000000,00000000), ref: 0118AD6D
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: FileType
                                    • String ID:
                                    • API String ID: 3081899298-0
                                    • Opcode ID: 95dc4be3dfc799eb9f7d194761e42cb9f71b399ff677919a636de6a23d98ceba
                                    • Instruction ID: 2462cb3c8751c67cddabb194bb1d24b5c720ad99244e02f3af69534181c85ce6
                                    • Opcode Fuzzy Hash: 95dc4be3dfc799eb9f7d194761e42cb9f71b399ff677919a636de6a23d98ceba
                                    • Instruction Fuzzy Hash: 6701D272504244AFE725DF05EC85B7AFBE8DF04624F08C0A6EE448B241D374E948CEB6
                                    Function 052C13EE Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 052C143A
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: Connect
                                    • String ID:
                                    • API String ID: 3144859779-0
                                    • Opcode ID: e8f3bf4a122125925c1a850ef4f01d0f14430f496e00fd8662508a4aebe287a1
                                    • Instruction ID: 078797013bf648896fea04afcc20d0c07924a91c427473bf2d3fac433011b3f3
                                    • Opcode Fuzzy Hash: e8f3bf4a122125925c1a850ef4f01d0f14430f496e00fd8662508a4aebe287a1
                                    • Instruction Fuzzy Hash: 3E115A765042409FDB20CF55D845B62FBE5EF08220F0885EAEE898B623D375E458CB62
                                    Function 0118A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0118A5DE
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 074ecf61475570019f4994931bf65c214a3dd8a607f3000402b1f332892e5fb0
                                    • Instruction ID: 6177778d65bea1b84af1a2a3d07b759d59ee739f4f6403ff6395c1d7de23046e
                                    • Opcode Fuzzy Hash: 074ecf61475570019f4994931bf65c214a3dd8a607f3000402b1f332892e5fb0
                                    • Instruction Fuzzy Hash: C1018C724047409FDB219F55E944B22FFE4EF48320F08C8AAEE494B656C376E458DFA2
                                    Function 052C0576 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 052C05C6
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: QueryValue
                                    • String ID:
                                    • API String ID: 3660427363-0
                                    • Opcode ID: b2fe2ce1fe4c5eccd2ab75d9593db2ecc3096cf1871e4bdd409510090c520dfe
                                    • Instruction ID: a57f2c89d986662608d2108d55031b0eac18feeaa9839647b7fa34f72dd348d0
                                    • Opcode Fuzzy Hash: b2fe2ce1fe4c5eccd2ab75d9593db2ecc3096cf1871e4bdd409510090c520dfe
                                    • Instruction Fuzzy Hash: 7201A272540204ABD214DF16CC86B26FBE8FB88A20F14811AED085B741D771F955CBE6
                                    Function 0118A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0118A77E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: Clipboard
                                    • String ID:
                                    • API String ID: 220874293-0
                                    • Opcode ID: 435ea1211c1ec0c1c57e5e6ab7f514d1ec7212b3a9071b6629e732004995a08f
                                    • Instruction ID: c381a8529cd8ce1c12d9b10880ec0a73408442efde2765c166ad729b429d90b9
                                    • Opcode Fuzzy Hash: 435ea1211c1ec0c1c57e5e6ab7f514d1ec7212b3a9071b6629e732004995a08f
                                    • Instruction Fuzzy Hash: 3B01A271540200ABD214DF16CC86B26FBE8FB88A20F148159ED085B741D771F955CBE6
                                    Function 0118A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: eed932d0535279362f0b27a8a5cf991d747501815a0bc4a9a06cfcdecc040fa6
                                    • Instruction ID: cc950592f1aca609c4bf632cf9e78a9717b12d4e6b9f6a520fc7c3ee94152b3c
                                    • Opcode Fuzzy Hash: eed932d0535279362f0b27a8a5cf991d747501815a0bc4a9a06cfcdecc040fa6
                                    • Instruction Fuzzy Hash: 4801B1724042409FDB20DF55E844B22FBE4EF04320F08C4AADD494B612C375A448CFA2
                                    Function 0118AA12 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,?), ref: 0118AA4A
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: ff48ad53cabd8dec6885d4680bffc50e4c130beb35338d81fda12d16d9161036
                                    • Instruction ID: 3678295d45aeb2513adac2672c23deccd81489957753c699097dec730064ae7e
                                    • Opcode Fuzzy Hash: ff48ad53cabd8dec6885d4680bffc50e4c130beb35338d81fda12d16d9161036
                                    • Instruction Fuzzy Hash: C601BC764042408FDB20DF15E985B26FBE4EF08220F08C4AAEE498B612C375A408CF62
                                    Function 052C1602 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoGetObjectContext.COMBASE(?,?), ref: 052C1637
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713847871.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_52c0000_Server1.jbxd
                                    Similarity
                                    • API ID: ContextObject
                                    • String ID:
                                    • API String ID: 3343934925-0
                                    • Opcode ID: 94ea968e59b209f6636334104d0dc1cf581e507f42b3ca3b7035436360019489
                                    • Instruction ID: 2bd8f691b063d0bff2aa67cbf16ad3737c075af6da580adad94591c1bee4fc7b
                                    • Opcode Fuzzy Hash: 94ea968e59b209f6636334104d0dc1cf581e507f42b3ca3b7035436360019489
                                    • Instruction Fuzzy Hash: C9F069754142409FEB20CF05D886B25FFA1EF09220F18C1DEEE494B257D3B9A468CEA2
                                    Function 0118AAC2 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(?), ref: 0118AAF4
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: cb306edb1e43453f49431c468747984368664dc8a29128ae70b9dcd93e33ff29
                                    • Instruction ID: c76d251c098e1a8c8e9f86bd7416db0520867426e4ad26d8c372052302ba5958
                                    • Opcode Fuzzy Hash: cb306edb1e43453f49431c468747984368664dc8a29128ae70b9dcd93e33ff29
                                    • Instruction Fuzzy Hash: 7DF0C2755046409FDB24DF06E885B22FBE0EF04224F08C4DBDE094F756D3B9A848CEA2
                                    Function 05158BDF Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: 454fd712afe0109645bfb0443f92cbd4e7ad37e1e215242aec5bd37779df1653
                                    • Instruction ID: 496f028af0559370aaf52680ffbb272da95537b660bb66befb02a5710d5f87d6
                                    • Opcode Fuzzy Hash: 454fd712afe0109645bfb0443f92cbd4e7ad37e1e215242aec5bd37779df1653
                                    • Instruction Fuzzy Hash: FAA16E31A0020DEFCB19EF75E46496D77B2BF88358B51853AE816977A8DF35AC02CB50
                                    Function 05158CF5 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: b738265c92bcd33ee70761128c41bfe488e3a4529daf0784900750955eb8b8f0
                                    • Instruction ID: fbea5d828dd06d31396f9d4d0203ef4297dcd4e43428931a9480cde3dab66c31
                                    • Opcode Fuzzy Hash: b738265c92bcd33ee70761128c41bfe488e3a4529daf0784900750955eb8b8f0
                                    • Instruction Fuzzy Hash: EA917E31A0020DEFCB19EF75E4649AD77B2BF88358B51853AE816977A8DF359C02CB50
                                    Function 05158D53 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: 46632512c7a5c146fe496fe343f53e5c10a3a92b82e41a86f0c0447efbacbf2d
                                    • Instruction ID: 3a7105a9459512157b07f072ff2924fffe444bd3a7e952d29a76e08b7f8a96f4
                                    • Opcode Fuzzy Hash: 46632512c7a5c146fe496fe343f53e5c10a3a92b82e41a86f0c0447efbacbf2d
                                    • Instruction Fuzzy Hash: 12915D34A0020DEFCB19EF75E46496D77B2BF88358B51853AE816977A8DF359C02CB50
                                    Function 05158DA3 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: 6a81430a7b75be90c3f76cc4e783cfed431d787be5470bded748259390bf74a3
                                    • Instruction ID: 1ad3c66c6edaae908c9296cbb8bb89cb3ab5beccb8d195492b87740d501346ed
                                    • Opcode Fuzzy Hash: 6a81430a7b75be90c3f76cc4e783cfed431d787be5470bded748259390bf74a3
                                    • Instruction Fuzzy Hash: D1814C30A00209EFCB19EF75E464A6D77B2BF88358B51853AE916977A8DB359C02CB50
                                    Function 05158E25 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: ecc497c46ff58d3a93acb99730028df6ed0ce954a5b958aae9ecc8865a01950d
                                    • Instruction ID: 39a3771f5c2fdf178bbe1471219c51c243d28f5defd4bfca6db3f679bffa2469
                                    • Opcode Fuzzy Hash: ecc497c46ff58d3a93acb99730028df6ed0ce954a5b958aae9ecc8865a01950d
                                    • Instruction Fuzzy Hash: 21715D30A00209EFCB19EF75E464A6D77B3BF88358B61853AE915977A8DB359C02CB50
                                    Function 05158F15 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: 970a14583c1d526cf2d8d3f20d3fd42a1f7d3a2b11acb78804ec7975498c1b66
                                    • Instruction ID: 18b7e7dd15dcc32084483ef41d198417c2455abd8c891f9a596bf5d5a8927738
                                    • Opcode Fuzzy Hash: 970a14583c1d526cf2d8d3f20d3fd42a1f7d3a2b11acb78804ec7975498c1b66
                                    • Instruction Fuzzy Hash: 12518331B00218DFCB18EF75E464A6D73A2BF88358F11853AE9169B7A8DF399C01CB50
                                    Function 05150958 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl
                                    • API String ID: 0-3298582286
                                    • Opcode ID: c56afb7991ee073205f43020d284ea73a99885d191978b979b7f7da56e5b774d
                                    • Instruction ID: 8f20fd40475d2854118cc09247977679e268439ed93beb9588a53c96b0cc709f
                                    • Opcode Fuzzy Hash: c56afb7991ee073205f43020d284ea73a99885d191978b979b7f7da56e5b774d
                                    • Instruction Fuzzy Hash: 08312430B012199FCB48FB75D82577E37A7EB88218F01443AD515DB3A9EF789D0687A1
                                    Function 0118AC2C Relevance: 1.3, APIs: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNELBASE(?), ref: 0118ACA0
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: b88bcd429a40229ed956d2aaaeffdbec409239b6f304472e3ad6bcd2fbeb1f3d
                                    • Instruction ID: 4e0d13c760a5c051ff1a7768123211f5c92638d109819444a40547dd265cc47f
                                    • Opcode Fuzzy Hash: b88bcd429a40229ed956d2aaaeffdbec409239b6f304472e3ad6bcd2fbeb1f3d
                                    • Instruction Fuzzy Hash: 4421F6755093C05FD7128F25DC95752BFA8EF07220F0980EBED858F293D2649908CB62
                                    Function 0118A61E Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNELBASE(?), ref: 0118A690
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: c89bd0914f7e21716f64e780d08b5d757b496c0f578a341c9009410c4da498b8
                                    • Instruction ID: fdd3220059d6cda702894a1e001ae97eda41c0f2441cdf4e4ec316dc5fcf6da4
                                    • Opcode Fuzzy Hash: c89bd0914f7e21716f64e780d08b5d757b496c0f578a341c9009410c4da498b8
                                    • Instruction Fuzzy Hash: D3215C714093C05FDB128B25DC95B52BFB4DF47224F0984DBED849F1A7D2699908CBB2
                                    Function 0118AC6E Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNELBASE(?), ref: 0118ACA0
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: 0363ce36101b221c58b77d197d41669e1ca59f761721641a50550a894b8a98d0
                                    • Instruction ID: 04a6681635b6cca8563c5e0b40ba1880f3a47eb9c93199b1256c24d22d014476
                                    • Opcode Fuzzy Hash: 0363ce36101b221c58b77d197d41669e1ca59f761721641a50550a894b8a98d0
                                    • Instruction Fuzzy Hash: 5001D6755042408FDB54DF19E985766FBE4EF04220F08C4ABDD098F656D379E448CFA2
                                    Function 0118A65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNELBASE(?), ref: 0118A690
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709941862.000000000118A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_118a000_Server1.jbxd
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID:
                                    • API String ID: 2962429428-0
                                    • Opcode ID: a84ef0eeed7e502c9babba449110e19b1cdcdb9fac3410d87dc99b5ea11fa8c4
                                    • Instruction ID: e517de57fe568d74297d99e9cc5b378952c4f061448f2c4788f0da236911607e
                                    • Opcode Fuzzy Hash: a84ef0eeed7e502c9babba449110e19b1cdcdb9fac3410d87dc99b5ea11fa8c4
                                    • Instruction Fuzzy Hash: 7201D1B58042408FDB10DF16E885766FBE4EF44324F19C4ABDD088F25AD379A448CFA2
                                    Function 05153802 Relevance: .5, Instructions: 500COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 24ae16bf1e8a523d51e9ee3e6c02d38741bf6a78416b343ecd36b603c60cbc55
                                    • Instruction ID: f9e378c22176ceb3a56693ad9a562895f249003e7d896f9dcebba382d3187184
                                    • Opcode Fuzzy Hash: 24ae16bf1e8a523d51e9ee3e6c02d38741bf6a78416b343ecd36b603c60cbc55
                                    • Instruction Fuzzy Hash: 75323634A00219CFCB28EF74D954BEDB7B2BB49308F1045AAD519AB398DB759E85CF40
                                    Function 05157190 Relevance: .3, Instructions: 287COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 719f5d241665860b508f99c45c031e63afab53ccbce902f9fd403cdbf143ce31
                                    • Instruction ID: 5198f96a03788b212e721608de1709a1cf38e293810dd9b5801ee1aca0a5a61b
                                    • Opcode Fuzzy Hash: 719f5d241665860b508f99c45c031e63afab53ccbce902f9fd403cdbf143ce31
                                    • Instruction Fuzzy Hash: 9BA11330704216CBDB28EB34C856B6876E2FB842A8F558579E8329B3E4DB75DC01CB50
                                    Function 05153DCC Relevance: .2, Instructions: 193COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea26f70bf480077af22d59ffcfb94d447d4437fb15a56c06c0c4fa7a4a9161d0
                                    • Instruction ID: d47ec564c7a85bf8d78a85c5a9d288c06a2908bfcef4d9036c2be9615eeb05f9
                                    • Opcode Fuzzy Hash: ea26f70bf480077af22d59ffcfb94d447d4437fb15a56c06c0c4fa7a4a9161d0
                                    • Instruction Fuzzy Hash: 1CA1E534A0121DCFCB25EF74D954AECB7B2BB48318F1041AAD919AB358DB356E81CF40
                                    Function 051539BF Relevance: .2, Instructions: 182COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dc66639c6906931bfecc6bf953d81fd7ce0f0505e86b205f76de7e6d6a3e589e
                                    • Instruction ID: bb9e1742aba486c5f823db1df3b8eae6ad458239e968ede303ad1e8195b020e9
                                    • Opcode Fuzzy Hash: dc66639c6906931bfecc6bf953d81fd7ce0f0505e86b205f76de7e6d6a3e589e
                                    • Instruction Fuzzy Hash: 2D815C30A01218CFDB28EFB4D954BEDB7B2BF49308F4044AAD519AB298DB755E84CF51
                                    Function 0515717B Relevance: .2, Instructions: 155COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b01dd4fdd259cafb4d4e28d2c001d0c7fd2375ce4b28a09dd621dd63129de41d
                                    • Instruction ID: 2ef956228d8f63729f577926e8f61ed6b23e4df089cd22109ef02f39a4d26f70
                                    • Opcode Fuzzy Hash: b01dd4fdd259cafb4d4e28d2c001d0c7fd2375ce4b28a09dd621dd63129de41d
                                    • Instruction Fuzzy Hash: A351043060420ADFD729DB36D8017A937E2FB443A4F998175E872DB2E1DB35C942CB60
                                    Function 0515756E Relevance: .1, Instructions: 137COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a3dbe536fbc2c90350617e8b7e728c6a7f92dcce9e05c9e4b1d2ead3870a7f85
                                    • Instruction ID: d7af91646b139d7dfc541ff84babbf892bb52e6e09d9d657b457dd247696172f
                                    • Opcode Fuzzy Hash: a3dbe536fbc2c90350617e8b7e728c6a7f92dcce9e05c9e4b1d2ead3870a7f85
                                    • Instruction Fuzzy Hash: 8441E73060421ADBDB29DB35D80277836E2FB443A4F998175E872DB2E4DF35C942CB60
                                    Function 05153B18 Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: da8df47c8c11334697e1553cefa626af582ab97fc8332984a8bab120cf386ed6
                                    • Instruction ID: 7a95ba09d577b059936aa3adab090184eb6a1aa7d7752d22a7455f1e66f55fa9
                                    • Opcode Fuzzy Hash: da8df47c8c11334697e1553cefa626af582ab97fc8332984a8bab120cf386ed6
                                    • Instruction Fuzzy Hash: 1E417F34A00218CFDB28EFB4D954BECB7B2BF49308F4144AAD419AB698DBB45E44CF51
                                    Function 051594F0 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c654a0f93e67cc660bda2eecb55ec221d98f21ee4513cf390337cc45ee1bef88
                                    • Instruction ID: cba9dadf2e9e311b7885b9ee80a8e8d96dcb16809279501ae9566d17251b7fac
                                    • Opcode Fuzzy Hash: c654a0f93e67cc660bda2eecb55ec221d98f21ee4513cf390337cc45ee1bef88
                                    • Instruction Fuzzy Hash: 8C31D130B00205DFDB14DF75D954BAEBBE6BF88224F14407AE925EB3A4DB709808CB91
                                    Function 051500B8 Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a808254037761e2d578127a37ecda85ee56c53422f4f485a55ff09ed8f227bf4
                                    • Instruction ID: b9f9404d90143ec82422928ba11cde265d1e4a7c3df2199f077d4aac43f5d96f
                                    • Opcode Fuzzy Hash: a808254037761e2d578127a37ecda85ee56c53422f4f485a55ff09ed8f227bf4
                                    • Instruction Fuzzy Hash: 713126317443089FC719E77498617AE3B67ABC2218B4484BAD004CB685DF758C0AC7D1
                                    Function 051536F0 Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db0bbcd4e83cb9429c074201a1a2f562601053adbb98f4a38f1818d641a4845e
                                    • Instruction ID: de6396cb272cef11f096f537b7e57de7d7b894357781ed3260158772a52712f4
                                    • Opcode Fuzzy Hash: db0bbcd4e83cb9429c074201a1a2f562601053adbb98f4a38f1818d641a4845e
                                    • Instruction Fuzzy Hash: 2821D675B002499FEB24DF79C840B6A77E6FF89244F144828EA16EB344D770EC008790
                                    Function 05159210 Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b543405f0cd9f6f61612a19d17a29e8c0ff73e9249a41ecdbe9ae7857e26089f
                                    • Instruction ID: 71ab6f72363bd4d6832676b605af476e9f049f02b8bcebb528295711fbb929a0
                                    • Opcode Fuzzy Hash: b543405f0cd9f6f61612a19d17a29e8c0ff73e9249a41ecdbe9ae7857e26089f
                                    • Instruction Fuzzy Hash: BB1120B1A002199FCF54EFB8D8088AE77F6EBCD254711857AC409E7344EB368D12CB90
                                    Function 05961F4C Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3714124114.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5960000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f7954b5277f6f7a5d4ca6312d1974a4a5ebb73c753423b573e40d194998f3acd
                                    • Instruction ID: 3477b87066c61cdc0a25cdff1e6837aa0487d1f7cad69d346bba191c3bd270d7
                                    • Opcode Fuzzy Hash: f7954b5277f6f7a5d4ca6312d1974a4a5ebb73c753423b573e40d194998f3acd
                                    • Instruction Fuzzy Hash: 1611BAB5908341AFD350CF19D841A5BFBE4FB88664F04895EF998D7311D371EA088FA2
                                    Function 011907DE Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709963575.0000000001190000.00000040.00000020.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1190000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5aed96359eac27e682a64566e61cfe463141fcdcbc9697897430d7a8e45b3d32
                                    • Instruction ID: fed7ce195f1ce8179384e788fb501672bbf8df430c13a4cd3e12bce0c7a2430f
                                    • Opcode Fuzzy Hash: 5aed96359eac27e682a64566e61cfe463141fcdcbc9697897430d7a8e45b3d32
                                    • Instruction Fuzzy Hash: 29214C3150D3C08FCB178B64C850B61BFB1AF4B208F1989EED4848F6A3C73A9846DB52
                                    Function 01190814 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709963575.0000000001190000.00000040.00000020.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1190000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 114923fd920787aacf434ab2073ff553e34300a1975944ed40985b549a480b95
                                    • Instruction ID: e3062a95846b39913cc150c4092fba56f226d07f74927e6d06d7e39e8af695c6
                                    • Opcode Fuzzy Hash: 114923fd920787aacf434ab2073ff553e34300a1975944ed40985b549a480b95
                                    • Instruction Fuzzy Hash: 3D11E431B082409FDB19CB14D540B26FBA9AB8C708F24C9ACF5490F653C77BD853CA82
                                    Function 05150118 Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1f247c0b030da36bc35cab95874bdd8035d7ec0a4de6bbdb5c0a880bd6b66fb2
                                    • Instruction ID: b0e2ffb0219d069e346d44d32eefe021d2a74a7976e94073fb66193f8c9aebd2
                                    • Opcode Fuzzy Hash: 1f247c0b030da36bc35cab95874bdd8035d7ec0a4de6bbdb5c0a880bd6b66fb2
                                    • Instruction Fuzzy Hash: 2E11C6353442484FC36DB779A5617AD3BA66BC621C385C87ED005CBB49DFB58C0A87D2
                                    Function 011AB0B4 Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3710022950.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_11aa000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3cb425c2bffb30fcfe76fcdeeb1795adfd98949d3edaf9d1e4fe5d5217db42b7
                                    • Instruction ID: 13faf705c1e670a954234dd02fe848ee1b8368e3a167045baafbcea542b23002
                                    • Opcode Fuzzy Hash: 3cb425c2bffb30fcfe76fcdeeb1795adfd98949d3edaf9d1e4fe5d5217db42b7
                                    • Instruction Fuzzy Hash: 3F11CCB6908301AFD350CF09DC45E57FBE8EB88660F04891EF95997311D371E9088FA2
                                    Function 05961DF0 Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3714124114.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5960000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 84392e91524c4e8ab888e8cb499d979ebd282ec17c2a103f7447b143e2cf02d1
                                    • Instruction ID: b80e0595fbdb7483624ef9673a5847e78644b56bb264a2b8c5cc4bd8a8070642
                                    • Opcode Fuzzy Hash: 84392e91524c4e8ab888e8cb499d979ebd282ec17c2a103f7447b143e2cf02d1
                                    • Instruction Fuzzy Hash: 8511CCB6908301AFD350CF19DC85E57FBE9EB88660F04891EF95997311D371E9088FA2
                                    Function 011905E0 Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709963575.0000000001190000.00000040.00000020.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1190000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 34e5063364d83d86c2f0c9ae785514cf96f9e65888ed9a82ebd17e85ddecf0f5
                                    • Instruction ID: 47507ee7df34f1f8e3ae0a48dccfa09773d49c2ce6bd3a7aa15be275a9a780ec
                                    • Opcode Fuzzy Hash: 34e5063364d83d86c2f0c9ae785514cf96f9e65888ed9a82ebd17e85ddecf0f5
                                    • Instruction Fuzzy Hash: 14F0F4B65093806FD7118F06EC40873FFB8EF86620709C0AFEC498B612D265B808CB72
                                    Function 05150879 Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7113afd54fda93c82d1b9f143074fc79eb01030cb9dc5fc1ab6c3f61a607fa31
                                    • Instruction ID: 1af35a6a1d7984a58a55df5637b20806b35cea36565c4966f109f3e35c46b051
                                    • Opcode Fuzzy Hash: 7113afd54fda93c82d1b9f143074fc79eb01030cb9dc5fc1ab6c3f61a607fa31
                                    • Instruction Fuzzy Hash: 6F018074609246DFC749FB78D15841DBFE2EF84208BA4C82DE5658B319EBB89805CF43
                                    Function 051500A8 Relevance: .0, Instructions: 40COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dd34c8ea77baea1f46b90140d0ece78170bc5f6caf5fa8ddf0c932b90d365c36
                                    • Instruction ID: 208023b8e4d86f43ad07cf96bae159eeec130fd354c68037bbceb099cd68f181
                                    • Opcode Fuzzy Hash: dd34c8ea77baea1f46b90140d0ece78170bc5f6caf5fa8ddf0c932b90d365c36
                                    • Instruction Fuzzy Hash: B0F0AF76A40304AFEB089F709C52BAE7B72AB82724F1485AE9941DB2D1DA3598418790
                                    Function 0515001B Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3805bba155c3bffac174a9341833bb5f6351dddc1bb87dff225c4901b00978fa
                                    • Instruction ID: 5caa679ea95691d3522bc34f7f1d8d05bed20c94216fdcdf68bafada43b9e141
                                    • Opcode Fuzzy Hash: 3805bba155c3bffac174a9341833bb5f6351dddc1bb87dff225c4901b00978fa
                                    • Instruction Fuzzy Hash: EB01F66101E3C69FC3439774DC60B417F70AB57209F8A45E7D090CB1ABD3AC5809D762
                                    Function 011908D0 Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709963575.0000000001190000.00000040.00000020.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1190000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 00fa7d26781d4bf7e28ed3f778328433ff1ca568d933e56f906ecfa426652f5c
                                    • Instruction ID: aa47cd5dbd905efb65d650e776f35fb0305ca29b9ea02f3569f85b0278bdf99e
                                    • Opcode Fuzzy Hash: 00fa7d26781d4bf7e28ed3f778328433ff1ca568d933e56f906ecfa426652f5c
                                    • Instruction Fuzzy Hash: 39F01D35604644DFC716CF04D580B25FBA6EB89718F24CAADE9491B762C737D813DA81
                                    Function 01190606 Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709963575.0000000001190000.00000040.00000020.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1190000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 588c3d8b3cee9ea6585cf121763234aac77e0b03286d13bf8a0c806a697de4fd
                                    • Instruction ID: a2f13fc3a9ab371f3c346e4473423958c3f7f7c4fb83a24202bfe5127118da5e
                                    • Opcode Fuzzy Hash: 588c3d8b3cee9ea6585cf121763234aac77e0b03286d13bf8a0c806a697de4fd
                                    • Instruction Fuzzy Hash: 65E092B66046044B9650CF0BFC41462F7D8EB88630708C07FDC0D8B701D675B908CEA6
                                    Function 011AB103 Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3710022950.00000000011AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_11aa000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f07f17fc5395ae78036b0cfb81ca5613ff004b0e56c0ad014ed6f46533af6b4e
                                    • Instruction ID: 55155da31035e46656af423f74e65303bc4f4731d553dd7c916c5096027d9fa2
                                    • Opcode Fuzzy Hash: f07f17fc5395ae78036b0cfb81ca5613ff004b0e56c0ad014ed6f46533af6b4e
                                    • Instruction Fuzzy Hash: 01E0D8F294020467D2508E06EC46F22FB98DB44971F04C557EE081B701D271750889F5
                                    Function 05961FB7 Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3714124114.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5960000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf74a82b59ac29bb0aedf8a6cacfb42a7f19f905f54ed4c0592bb374384c3375
                                    • Instruction ID: 22fdb4096304b511be499e314f30e78abf01c0255bac10bd4c3ecaf10d65f8d2
                                    • Opcode Fuzzy Hash: cf74a82b59ac29bb0aedf8a6cacfb42a7f19f905f54ed4c0592bb374384c3375
                                    • Instruction Fuzzy Hash: 24E0D8F294020067D2508E06EC46F22FB98DB44970F04C567ED081B741D271761889F6
                                    Function 05961E3F Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3714124114.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5960000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e713220272846841b24f21465132edb45c65267c1cb19dafe06c32f9ff151a4d
                                    • Instruction ID: 172dee084d061a58dc6b028bf3bad2f4bb64c89d66b1a49ac4c4596f51bb2c13
                                    • Opcode Fuzzy Hash: e713220272846841b24f21465132edb45c65267c1cb19dafe06c32f9ff151a4d
                                    • Instruction Fuzzy Hash: FDE0D8F290020467D2509E06EC46F23FB98DB44930F04C557EE081B702E272760489F5
                                    Function 05961863 Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3714124114.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5960000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eed0fc26c5ea7c55adf4ea0eb30246332f6f4a050d30022c2c6db96969483196
                                    • Instruction ID: 050db322d1b16b2a0074eafffb00452c39c39da878cd989b5077ba1259f1bea5
                                    • Opcode Fuzzy Hash: eed0fc26c5ea7c55adf4ea0eb30246332f6f4a050d30022c2c6db96969483196
                                    • Instruction Fuzzy Hash: A8E0D8F290060067D2509E06EC46F23FB98DB44930F04C567EE081B701D1727614CDF5
                                    Function 05154200 Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 697ae23b51f3393d1a06173c1b49b26cb3b9d69b6784333a6b2d67f7366ff17d
                                    • Instruction ID: 9c4b72d917f41628ddadb36848b3dccf00cbf25cff5c8ea2f8ac78b9083168a4
                                    • Opcode Fuzzy Hash: 697ae23b51f3393d1a06173c1b49b26cb3b9d69b6784333a6b2d67f7366ff17d
                                    • Instruction Fuzzy Hash: 46E04F70949288AFC745CFB49C118D97BB8DF06214B1641F9D889C7652EA351E05CB92
                                    Function 051536A8 Relevance: .0, Instructions: 19COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eb5969f7620870069e5d3e3492d76114f1f3319e81c648902618848e2622d0fb
                                    • Instruction ID: 06224a37e19faabd8ac3cf04556f7012869f954342a583799c0a7a2700ebc574
                                    • Opcode Fuzzy Hash: eb5969f7620870069e5d3e3492d76114f1f3319e81c648902618848e2622d0fb
                                    • Instruction Fuzzy Hash: ACE0C230146344CFC70A3BB4A42841C3BB9AB4721834408FDC0528E766EB3EA882CB50
                                    Function 051594AF Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ead4377eb64ef19d4979808de5f70cfb3bb3716c5671ea658a894a075ab37a18
                                    • Instruction ID: caaf3db457d51fa573fe3ffe628c06925318fbd7f2609151c175c89a47876d2b
                                    • Opcode Fuzzy Hash: ead4377eb64ef19d4979808de5f70cfb3bb3716c5671ea658a894a075ab37a18
                                    • Instruction Fuzzy Hash: 43E0C2706483CCDFCB069BF0D91549C3FB4CA0321071400FEC85597253DA391A1CC742
                                    Function 011823F4 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709920113.0000000001182000.00000040.00000800.00020000.00000000.sdmp, Offset: 01182000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1182000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3c12d7678bc677d10bfc4a41be17345743eac46b955147fd08ba1cce9d33de60
                                    • Instruction ID: 66ba0346bb8872d6566aee1c210b51131eb482a17c3fb78bb1d672dae56cd89b
                                    • Opcode Fuzzy Hash: 3c12d7678bc677d10bfc4a41be17345743eac46b955147fd08ba1cce9d33de60
                                    • Instruction Fuzzy Hash: B2D05E79345A814FE31BAE1CC2A4B953BE4AB51714F5A84FAA8008B763C768D581DA10
                                    Function 011823BC Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709920113.0000000001182000.00000040.00000800.00020000.00000000.sdmp, Offset: 01182000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1182000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea781cbd51fb86f42b840b1dbf8c69f46d5b85f38fc9d0a74542cd9cbbb13af9
                                    • Instruction ID: 98df374650514ca5f016b8d254164424370c92c6cc4c92954c8a596d661bdc49
                                    • Opcode Fuzzy Hash: ea781cbd51fb86f42b840b1dbf8c69f46d5b85f38fc9d0a74542cd9cbbb13af9
                                    • Instruction Fuzzy Hash: E4D05E342442814BE71AEE0CC2E4F5937D4AB44B14F0684E8BC108B662C7B8D9C0CE00
                                    Function 05154210 Relevance: .0, Instructions: 14COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a8617a2d3af941b447cdb052db17a4e1eb0b302a50ffbb4b80fc97263efdd15
                                    • Instruction ID: dac317087aacee0da8184a854a2582bf544ffd73f18578c58eb736233a8fa3f8
                                    • Opcode Fuzzy Hash: 9a8617a2d3af941b447cdb052db17a4e1eb0b302a50ffbb4b80fc97263efdd15
                                    • Instruction Fuzzy Hash: 13D0C971A15208EF8754DFA8D9018DDBBF9EB45215B1541B9E80DD3650EE715E00DB81

                                    Non-executed Functions

                                    Function 0515499D Relevance: 8.9, Strings: 6, Instructions: 1447COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-3491856805
                                    • Opcode ID: 773b593aac9ec1aa79d7e979502438c8b13e0a32d2c885bb5125b9eaaafebe84
                                    • Instruction ID: d2cc8fd66c107c610a9cb3b3bf214a416ac89efe90a83b32860daa4a8383c358
                                    • Opcode Fuzzy Hash: 773b593aac9ec1aa79d7e979502438c8b13e0a32d2c885bb5125b9eaaafebe84
                                    • Instruction Fuzzy Hash: 41F23974A0122CCFDB25EF34D9A4BA9B7B2BB48308F4041EAD91967398DB715E85CF50
                                    Function 051549F9 Relevance: 8.9, Strings: 6, Instructions: 1440COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-3491856805
                                    • Opcode ID: 7c7e32c0c8b0a42340f18d327fc9e552d10c6f8889c5ca52a3b710d635f92727
                                    • Instruction ID: 52519ca5b5a1546ffa9e08ba5b9718bf5a4ee3ff82e26e0d42c29262065ca49a
                                    • Opcode Fuzzy Hash: 7c7e32c0c8b0a42340f18d327fc9e552d10c6f8889c5ca52a3b710d635f92727
                                    • Instruction Fuzzy Hash: AAF22974A0122CCFDB25EF34D9A4BA9B7B2BB48308F4041EAD91967394DB715E85CF50
                                    Function 05154B5B Relevance: 8.9, Strings: 6, Instructions: 1383COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $:@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-3491856805
                                    • Opcode ID: 9c3f3369f9416042debad6bb8ea8679f1c5ae8fb819b9d4a49dbaf805b815970
                                    • Instruction ID: 20aab6629eb51622bea30faceba1ea10b7d2e59f06880fa0a1c4f56b804072da
                                    • Opcode Fuzzy Hash: 9c3f3369f9416042debad6bb8ea8679f1c5ae8fb819b9d4a49dbaf805b815970
                                    • Instruction Fuzzy Hash: F4E23974A0122CCFDB25EF34D9A4BA9B7B2BB48308F4081EAD91967394DB355E85CF50
                                    Function 05154C8F Relevance: 7.6, Strings: 5, Instructions: 1362COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl$:@cl$:@cl$:@cl
                                    • API String ID: 0-407519521
                                    • Opcode ID: 364fb94b64b791ce79a7151ac0a6160c1b30fa472f881217a972bcf901dec83c
                                    • Instruction ID: 0f15d8b3389ae26e4f0377dcc4fc295514b94f1be2b014865713562cdfcefe5d
                                    • Opcode Fuzzy Hash: 364fb94b64b791ce79a7151ac0a6160c1b30fa472f881217a972bcf901dec83c
                                    • Instruction Fuzzy Hash: 3FE22974A0122CCFDB25EF34D9A4BA9B7B2BB48308F4081EAD91967394DB355E85CF50
                                    Function 05154F2F Relevance: 3.7, Strings: 2, Instructions: 1245COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: d491f47b3419614b61317226af11b7a820b78555bf65b8c049ef267f8c3764f9
                                    • Instruction ID: edbdd45a66f181203b5d233969ecd33aa388313ac2bef3a7f87bdb06ec4ac63d
                                    • Opcode Fuzzy Hash: d491f47b3419614b61317226af11b7a820b78555bf65b8c049ef267f8c3764f9
                                    • Instruction Fuzzy Hash: 70D22974A0122CCFDB25EF34D9A4BA9BBB2BB48308F4041EAD91967394DB355E85CF50
                                    Function 05154F9D Relevance: 3.7, Strings: 2, Instructions: 1236COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: cdb941f5994a0380830c236d0e1a4c7a94a4ac040a143b9cb0116978844087e3
                                    • Instruction ID: ae2cc679fb63780d8740c73ec9afcfe48acf2e1eda87d7b5d4d5f191d5682d1d
                                    • Opcode Fuzzy Hash: cdb941f5994a0380830c236d0e1a4c7a94a4ac040a143b9cb0116978844087e3
                                    • Instruction Fuzzy Hash: C4D21974A0122CCFDB25EF34D9A4BA9BBB2BB49308F4041EAD91967394DB315E85CF50
                                    Function 05155000 Relevance: 3.7, Strings: 2, Instructions: 1230COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: 78382e598d94fbbf706c8ff79349c11ae9376c0243c471f2a8ad6e518a244031
                                    • Instruction ID: d0ad5876326832ddd159ed8f537cde188b181c589eb1c181db83b0e87f1ba0f4
                                    • Opcode Fuzzy Hash: 78382e598d94fbbf706c8ff79349c11ae9376c0243c471f2a8ad6e518a244031
                                    • Instruction Fuzzy Hash: 42D21974A0122CCFDB25EF34D9A4BA9BBB2BB49308F4041EAD91967394DB315E85CF50
                                    Function 0515505D Relevance: 3.7, Strings: 2, Instructions: 1225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: d98703a6af8a39e676f650554cbdfc879f2a3abbf60387fe40c3f4330dd1d383
                                    • Instruction ID: bfe698ec4075947f30db9182d053be52398e11f150d410d02f7c3523108e1f3b
                                    • Opcode Fuzzy Hash: d98703a6af8a39e676f650554cbdfc879f2a3abbf60387fe40c3f4330dd1d383
                                    • Instruction Fuzzy Hash: 6FD21974A0122CCFDB25EF34D9A4BA9BBB2BB49308F4041EAD91967394DB315E85CF50
                                    Function 051550E3 Relevance: 3.7, Strings: 2, Instructions: 1210COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: 3e2c9177e959489de891b78570fcc1d9239c20f3b234031a16e0a66825569958
                                    • Instruction ID: 2223efa5a1d5e5c78bb089a81e8c3e28ea8801b8dce7fd6f21ef6adbe057c3d2
                                    • Opcode Fuzzy Hash: 3e2c9177e959489de891b78570fcc1d9239c20f3b234031a16e0a66825569958
                                    • Instruction Fuzzy Hash: 86D21974A0122CCFDB25EF34D9A4BA9B7B2BB49308F4081EAD91967394DB315E85CF50
                                    Function 0515536F Relevance: 3.6, Strings: 2, Instructions: 1071COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: 1d5744054854ebe8d4cb654e7219c97fba4724545955fbb5c368a243d5cac0c8
                                    • Instruction ID: 2344775d373a80ec6609cef37a877dcb6b328a8bb7832c015f5b94764bb87026
                                    • Opcode Fuzzy Hash: 1d5744054854ebe8d4cb654e7219c97fba4724545955fbb5c368a243d5cac0c8
                                    • Instruction Fuzzy Hash: B3C21974A0122CCFDB25EF24D968BA9B7B2FB48308F5081EAD91967394DB315E85CF50
                                    Function 05155459 Relevance: 3.5, Strings: 2, Instructions: 1040COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3713741754.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_5150000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: :@cl$:@cl
                                    • API String ID: 0-1618611328
                                    • Opcode ID: 9185fd5d80428fd62322fec3df3d17c5ebbb263e5bc5f1419b3a649365bc10d6
                                    • Instruction ID: 5853bb5de2039d0e4db71dfbb8b5a3ee3b584efdceaffe57fb2dcc660f13f0aa
                                    • Opcode Fuzzy Hash: 9185fd5d80428fd62322fec3df3d17c5ebbb263e5bc5f1419b3a649365bc10d6
                                    • Instruction Fuzzy Hash: 18C2097490122CCFDB25EF20D9A8BA9B7B2FB48308F5081EAD91967394DB715E85CF50
                                    Function 01182BD1 Relevance: 2.8, Strings: 2, Instructions: 314COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3709920113.0000000001182000.00000040.00000800.00020000.00000000.sdmp, Offset: 01182000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1182000_Server1.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: fl$fl
                                    • API String ID: 0-3913757221
                                    • Opcode ID: f8cad4c968f30b56dfc4f45826acaa4aaf70df32db4dc0c87c6a6d53661b73ca
                                    • Instruction ID: 0aa1d2b080edfdcafe3245035d92cbe814a7cf32e798287714fd0eb75fbc982f
                                    • Opcode Fuzzy Hash: f8cad4c968f30b56dfc4f45826acaa4aaf70df32db4dc0c87c6a6d53661b73ca
                                    • Instruction Fuzzy Hash: 3491226940F7C55FCB075B308C662967F719E03604B0E86DBC990CF5A3D22A6D0EE7A2