Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Server.exe

Overview

General Information

Sample name:Server.exe
Analysis ID:1649453
MD5:b639b796e755ba9a04a6a5f2900fc084
SHA1:e1f8a378c4b2c46c873ae77453399b1e9dc01b14
SHA256:6d498dd502299432d28c52c34726738dac6f0466e12caf4240e09231a00b0d01
Tags:exeuser-BastianHein
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables zone checking for all users
Drops PE files to the startup folder
Joe Sandbox ML detected suspicious sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • Server.exe (PID: 8740 cmdline: "C:\Users\user\Desktop\Server.exe" MD5: B639B796E755BA9A04A6A5F2900FC084)
    • netsh.exe (PID: 8816 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\Server.exe" "Server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 8832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{
  "Campaign ID": "Runtim14531oker.exe",
  "Version": "0.7d",
  "Install Name": "18f92744a712890ce1a5852179df81aa",
  "Install Dir": "Adobe Update",
  "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  "Network Seprator": "|'|'|"
}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Server.exeJoeSecurity_NjratYara detected NjratJoe Security
    Server.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a7b:$a2: SEE_MASK_NOZONECHECKS
    • 0x1571d:$a3: Download ERROR
    • 0x15ccd:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c5a:$a5: netsh firewall delete allowedprogram "
    Server.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15ccd:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x137e6:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x1573b:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x1571d:$s6: Download ERROR
    • 0x137a8:$s8: Select * From AntiVirusProduct
    Server.execrimeware_njrat_stringsDetects njRAT based on some stringsSekoia.io
    • 0x154bf:$: set cdaudio door closed
    • 0x15483:$: set cdaudio door open
    • 0x15ce3:$: ping 0
    • 0x13412:$: [endof]
    • 0x132cc:$: TiGeR-Firewall
    • 0x132fa:$: NetSnifferCs
    • 0x132b8:$: IPBlocker
    • 0x13314:$: Sandboxie Control
    Server.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a7b:$reg: SEE_MASK_NOZONECHECKS
    • 0x15701:$msg: Execute ERROR
    • 0x15755:$msg: Execute ERROR
    • 0x15ccd:$ping: cmd.exe /c ping 0 -n 2 & del
    Click to see the 1 entries

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x115d2:$a1: get_Registry
      • 0x15a7b:$a2: SEE_MASK_NOZONECHECKS
      • 0x1571d:$a3: Download ERROR
      • 0x15ccd:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13c5a:$a5: netsh firewall delete allowedprogram "
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15ccd:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x137e6:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x1573b:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x1571d:$s6: Download ERROR
      • 0x137a8:$s8: Select * From AntiVirusProduct
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.execrimeware_njrat_stringsDetects njRAT based on some stringsSekoia.io
      • 0x154bf:$: set cdaudio door closed
      • 0x15483:$: set cdaudio door open
      • 0x15ce3:$: ping 0
      • 0x13412:$: [endof]
      • 0x132cc:$: TiGeR-Firewall
      • 0x132fa:$: NetSnifferCs
      • 0x132b8:$: IPBlocker
      • 0x13314:$: Sandboxie Control
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x15a7b:$reg: SEE_MASK_NOZONECHECKS
      • 0x15701:$msg: Execute ERROR
      • 0x15755:$msg: Execute ERROR
      • 0x15ccd:$ping: cmd.exe /c ping 0 -n 2 & del
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x113d2:$a1: get_Registry
        • 0x1587b:$a2: SEE_MASK_NOZONECHECKS
        • 0x1551d:$a3: Download ERROR
        • 0x15acd:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x13a5a:$a5: netsh firewall delete allowedprogram "
        00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x1587b:$reg: SEE_MASK_NOZONECHECKS
        • 0x15501:$msg: Execute ERROR
        • 0x15555:$msg: Execute ERROR
        • 0x15acd:$ping: cmd.exe /c ping 0 -n 2 & del
        Process Memory Space: Server.exe PID: 8740JoeSecurity_NjratYara detected NjratJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.Server.exe.f00000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.0.Server.exe.f00000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x115d2:$a1: get_Registry
            • 0x15a7b:$a2: SEE_MASK_NOZONECHECKS
            • 0x1571d:$a3: Download ERROR
            • 0x15ccd:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13c5a:$a5: netsh firewall delete allowedprogram "
            0.0.Server.exe.f00000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x15ccd:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x137e6:$s1: winmgmts:\\.\root\SecurityCenter2
            • 0x1573b:$s3: Executed As
            • 0x124f0:$s5: Stub.exe
            • 0x1571d:$s6: Download ERROR
            • 0x137a8:$s8: Select * From AntiVirusProduct
            0.0.Server.exe.f00000.0.unpackcrimeware_njrat_stringsDetects njRAT based on some stringsSekoia.io
            • 0x154bf:$: set cdaudio door closed
            • 0x15483:$: set cdaudio door open
            • 0x15ce3:$: ping 0
            • 0x13412:$: [endof]
            • 0x132cc:$: TiGeR-Firewall
            • 0x132fa:$: NetSnifferCs
            • 0x132b8:$: IPBlocker
            • 0x13314:$: Sandboxie Control
            0.0.Server.exe.f00000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15a7b:$reg: SEE_MASK_NOZONECHECKS
            • 0x15701:$msg: Execute ERROR
            • 0x15755:$msg: Execute ERROR
            • 0x15ccd:$ping: cmd.exe /c ping 0 -n 2 & del
            Click to see the 1 entries

            Sigma Signatures

            System Summary

            barindex
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Server.exe, ProcessId: 8740, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Server.exeAvira: detected
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: 0.0.Server.exe.f00000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "Runtim14531oker.exe", "Version": "0.7d", "Install Name": "18f92744a712890ce1a5852179df81aa", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeVirustotal: Detection: 71%Perma Link
            Source: Server.exeVirustotal: Detection: 71%Perma Link
            Source: Server.exeReversingLabs: Detection: 86%
            Source: Yara matchFile source: Server.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server.exe PID: 8740, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPED
            Source: Submited SampleNeural Call Log Analysis: 88.7%
            Source: Server.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\Server.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: Server.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Spreading

            barindex
            Source: Server.exe, Usb1.cs.Net Code: infect
            Source: 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.dr, Usb1.cs.Net Code: infect
            Source: Server.exe, 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
            Source: Server.exe, 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
            Source: Server.exe, 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
            Source: Server.exeBinary or memory string: \autorun.inf
            Source: Server.exeBinary or memory string: [autorun]
            Source: Server.exeBinary or memory string: autorun.inf
            Source: 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.drBinary or memory string: \autorun.inf
            Source: 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.drBinary or memory string: [autorun]
            Source: 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.drBinary or memory string: autorun.inf
            Source: C:\Users\user\Desktop\Server.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: Server.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server.exe PID: 8740, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPED

            System Summary

            barindex
            Source: Server.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: Server.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: Server.exe, type: SAMPLEMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: Server.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: Server.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: Detects njRAT based on some strings Author: Sekoia.io
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\Desktop\Server.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_014DBDB2 NtQuerySystemInformation,0_2_014DBDB2
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_014DBD81 NtQuerySystemInformation,0_2_014DBD81
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_01C773470_2_01C77347
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_01C777800_2_01C77780
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_01C742980_2_01C74298
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_01C742690_2_01C74269
            Source: Server.exe, 00000000.00000002.3751449361.000000000157E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Server.exe
            Source: Server.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Server.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: Server.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Server.exe, type: SAMPLEMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: Server.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: Server.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: crimeware_njrat_strings author = Sekoia.io, description = Detects njRAT based on some strings, creation_date = 2022-08-22, classification = TLP:CLEAR, version = 1.0, id = 215807ae-fbcb-478d-8941-e0787b883669
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@4/4@0/0
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_014DBC36 AdjustTokenPrivileges,0_2_014DBC36
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_014DBBFF AdjustTokenPrivileges,0_2_014DBBFF
            Source: C:\Users\user\Desktop\Server.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Server.exeMutant created: \Sessions\1\BaseNamedObjects\18f92744a712890ce1a5852179df81aa
            Source: C:\Users\user\Desktop\Server.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8832:120:WilError_03
            Source: C:\Users\user\Desktop\Server.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
            Source: Server.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Server.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Server.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Server.exeVirustotal: Detection: 71%
            Source: Server.exeReversingLabs: Detection: 86%
            Source: C:\Users\user\Desktop\Server.exeFile read: C:\Users\user\Desktop\Server.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Server.exe "C:\Users\user\Desktop\Server.exe"
            Source: C:\Users\user\Desktop\Server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server.exe" "Server.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server.exe" "Server.exe" ENABLEJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Server.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: Server.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\Server.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: Server.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: Server.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_014D2C58 pushad ; ret 0_2_014D2C5A
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_014D3024 push edx; ret 0_2_014D3032
            Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_014D269C push dword ptr [edx]; ret 0_2_014D26A6
            Source: C:\Users\user\Desktop\Server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeJump to dropped file

            Boot Survival

            barindex
            Source: C:\Users\user\Desktop\Server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeJump to dropped file
            Source: C:\Users\user\Desktop\Server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeJump to behavior
            Source: C:\Users\user\Desktop\Server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exeJump to behavior
            Source: C:\Users\user\Desktop\Server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 36C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 16B0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 65E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 75E0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 8910000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 8D60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: 9D60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: AD60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: BD60000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: C1F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Server.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Server.exeWindow / User API: threadDelayed 525Jump to behavior
            Source: C:\Users\user\Desktop\Server.exeWindow / User API: threadDelayed 471Jump to behavior
            Source: C:\Users\user\Desktop\Server.exeWindow / User API: threadDelayed 413Jump to behavior
            Source: C:\Users\user\Desktop\Server.exeWindow / User API: foregroundWindowGot 577Jump to behavior
            Source: C:\Users\user\Desktop\Server.exeWindow / User API: foregroundWindowGot 591Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8764Thread sleep count: 55 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8888Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8744Thread sleep count: 169 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8744Thread sleep time: -169000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8896Thread sleep count: 525 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8896Thread sleep time: -1050000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8908Thread sleep count: 107 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8908Thread sleep time: -53500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8896Thread sleep count: 471 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8896Thread sleep time: -942000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8744Thread sleep count: 413 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8744Thread sleep time: -413000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8908Thread sleep count: 306 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Server.exe TID: 8908Thread sleep time: -153000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Server.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Server.exe, 00000000.00000002.3751449361.000000000162E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWeutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL"/>
            Source: Server.exe, 00000000.00000002.3751449361.000000000162E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
            Source: netsh.exe, 00000001.00000003.1331588191.0000000000731000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
            Source: C:\Users\user\Desktop\Server.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Server.exeMemory allocated: page read and write | page guardJump to behavior
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:06:12 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:32:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:09:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:13:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:46:52 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:37:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:42:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:41:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:58:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:25:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:10:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:03:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:32:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:11:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:37:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:03:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:51:00 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:27:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:24:47 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:54:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:50:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:17:56 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:39:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:33:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:43:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:51:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:21:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:38:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:19 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:40:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:45:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:09:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:11:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:43:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:05:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:11:43 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:00:16 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:13:16 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:45:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:35:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:47 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:49:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:11:40 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:58:22 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:50:35 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:21:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:29:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:00 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:38:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:09:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:40:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:18:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:51:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:03:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:19:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:40:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:01:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:12:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:56:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:03:10 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:50:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:12:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:05:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:38:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:16:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:32:56 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:20:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:35:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:36:19 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:59:05 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:30:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:14:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:11:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3753449179.000000000B0C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\O"l
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:03:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:11:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:00:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:15:43 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:30 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:42:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:30:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:25:40 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:48:15 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:46:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:36:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:56:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:40:22 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:07:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:19:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:56:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:17:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:54:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:28:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:13:51 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:27:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:02:40 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:42:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:04:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:31:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:35:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:07:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:55:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:54:22 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:26:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:36:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:17:39 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:34:40 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:30:47 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:45:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:17:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:13:35 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:39:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:38:00 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:27:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:56:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:55:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:13:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:50:16 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:45:04 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:02:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:44:05 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:46:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:05:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:24:58 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:06:00 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:27:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:57:56 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:51:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:12:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:48:56 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:04:52 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:16:15 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:31:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:10:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:43:19 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:31:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:21:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:24:35 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:18:15 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:48:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:47:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:06:04 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:52:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:54:15 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:45:06 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:28:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:14:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:28:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:26:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:05:05 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:02:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:27:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:04:05 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:30:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:28:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:06:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:06:52 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:19:22 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:12:00 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:38:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:05:29 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:56:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:53:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:55:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:03:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:32:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:30:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:08:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:01:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:47:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:46:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:50:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:57:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:39:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:38:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:07:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:18:37 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:46:00 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:42:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:23:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:57:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:16:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3753449179.000000000B0C2000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3753449179.000000000AE27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:43:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:00:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:09:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:46:37 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:13:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:03:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:39:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:44:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:21:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:59:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:54:43 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:33:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:25:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:37:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:13:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:04:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:22:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:36:30 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:24:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:22:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:35:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:21:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:44:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:39:50 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:44:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:28:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:09:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:41:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:58:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:42:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:54:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:20:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:36:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:37:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:19:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:58:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:35:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:18:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:15:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:55:39 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:53:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:11:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:28:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:41:50 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:12:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:34:30 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:13:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:30:51 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:40:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:39:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:35:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:28:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:20:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:52:15 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:33:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:39:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:49:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:09:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:32:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:29:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:27:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:48:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:50:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:12:47 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:50:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:05:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:42:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:43:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:51:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:39:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:01:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:26:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:05:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:24:16 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:17:42 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:44:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:35:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:00:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:17:12 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:30:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:35:41 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:12:40 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:56:43 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:37:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:36:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:59:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:31:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:24:16 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:59:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:48:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:54:16 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:22 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:05:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:16:52 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:50:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:12:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:09:42 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:17:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:52:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:11:15 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:12:41 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:15:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:20:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:32:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:08:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:14:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:30:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:07:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:30:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:59:51 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:09:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:27:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:02:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:02:07 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:32:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:29:17 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:33:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:08:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:48:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:14:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:18:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:45:19 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:03:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:11:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:55:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:21:30 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:05:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:24:35 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:19:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:25:56 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:43:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:55:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:17:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:12:42 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:50:01 - Program Manager
            Source: Server.exe, 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:23:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:21:10 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:11:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:03:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:02:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:17:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:50:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:11:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:37:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:35:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:27:58 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:54:05 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:46:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:08:47 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:12:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:17:40 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:23:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:30:42 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:57:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3751449361.00000000015F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Rh Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:38:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:36:50 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:44:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:44:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:47:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:03:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:27 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:03:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:33:56 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:43:10 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:19:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:07:39 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:13:51 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:56:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:57:49 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:31:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:58:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:46:47 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 10:59:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:22:35 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:01:39 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:23:06 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:16:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:12:43 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:51:04 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:06:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:03:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:26:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:13:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:43:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:08:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:51:12 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:24:04 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:50:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:56:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:04:22 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:44:04 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:34:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:47:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:20:44 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:42:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:45:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:15:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:43:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:35:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:28:24 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:06:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:25:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:42:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:03:54 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:25:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:02:45 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:05:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:19:50 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:12:39 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:39:29 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:11:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:00:48 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:09:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:42:26 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:27:23 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:25:39 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:46:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:57:42 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:36:42 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:35:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:48:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:58:39 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:51:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:55:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:02:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:11:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:57:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:46:14 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:02:37 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:37:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:27:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:05:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:45:35 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:14:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:47:15 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:27:53 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:43:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:40:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:14:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:18:57 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:35:10 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:02:05 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:01:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:55:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:46:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:56:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:29:06 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:03:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 06:58:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:40:58 - Program Manager
            Source: Server.exe, 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.drBinary or memory string: ProgMan
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:38:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:28:02 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:07:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:44:32 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:31:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:24:55 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:41:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:48:03 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:05:30 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 04:11:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:46:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:31:43 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:24:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:12:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:38:04 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:45:40 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:49:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:30:59 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 14:46:04 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 01:35:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:56:51 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:15:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 23:02:11 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:38:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:01:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 12:45:37 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:34:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:46:46 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 07:26:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 21:43:19 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:17:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:23:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:10:30 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:48:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:49:36 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 00000000.00000002.3752141392.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 08:47:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 11:58:28 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 17:17:47 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:03:34 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:47:13 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 19:09:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 18:11:31 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 03:32:33 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 16:57:01 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 20:50:18 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:09:38 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 13:18:08 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 22:20:25 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/26 | 15:35:30 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 09:51:21 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 02:02:20 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 00:54:09 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:56:16 - Program Manager
            Source: Server.exe, 00000000.00000002.3752220072.00000000046E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 25/03/27 | 05:57:31 - Program Manager
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: Server.exe, Fransesco.cs.Net Code: INS
            Source: 18f92744a712890ce1a5852179df81aaWindows Update.exe.0.dr, Fransesco.cs.Net Code: INS
            Source: C:\Users\user\Desktop\Server.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
            Source: C:\Users\user\Desktop\Server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server.exe" "Server.exe" ENABLE
            Source: C:\Users\user\Desktop\Server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\Server.exe" "Server.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: Server.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server.exe PID: 8740, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: Server.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Server.exe.f00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Server.exe PID: 8740, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure11
            Replication Through Removable Media            		Windows Management Instrumentation12
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		1
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		2
            Process Injection            		41
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		Junk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
            Registry Run Keys / Startup Folder            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Access Token Manipulation            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Process Injection            		LSA Secrets1
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1649453 Sample: Server.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus detection for dropped file 2->23 25 8 other signatures 2->25 7 Server.exe 1 8 2->7         started        process3 file4 15 18f92744a712890ce1...aWindows Update.exe, PE32 7->15 dropped 17 18f92744a712890ce1...exe:Zone.Identifier, ASCII 7->17 dropped 27 Disables zone checking for all users 7->27 29 Drops PE files to the startup folder 7->29 31 Uses netsh to modify the Windows network and firewall settings 7->31 33 Modifies the windows firewall 7->33 11 netsh.exe 2 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started       

            Screenshots

            Download Video

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Server.exe71%VirustotalBrowse
            Server.exe86%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            Server.exe100%AviraTR/Dropper.Gen
            SAMPLE100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe86%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe71%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            No contacted domains info

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1649453
            Start date and time:2025-03-26 19:42:08 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 40s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Server.exe
            Detection:MAL
            Classification:mal100.spre.phis.troj.adwa.evad.winEXE@4/4@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 92
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 23.9.183.29, 20.12.23.50, 20.96.153.111, 150.171.28.10, 23.44.203.188
            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            14:43:39API Interceptor149533x Sleep call for process: Server.exe modified
            19:43:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe

            Download File
            Process:C:\Users\user\Desktop\Server.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):95232
            Entropy (8bit):5.567043009046237
            Encrypted:false
            SSDEEP:1536:mU+8mGnrQr1EsOoYdsjEwzGi1dDmDFgS:mUvnrQr11r2i1doS
            MD5:B639B796E755BA9A04A6A5F2900FC084
            SHA1:E1F8A378C4B2C46C873AE77453399B1E9DC01B14
            SHA-256:6D498DD502299432D28C52C34726738DAC6F0466E12CAF4240E09231A00B0D01
            SHA-512:CC0E3C2FC6BBC0FC0C4B490D46090B7AB4BC3538784BCFBAD46D93B064A938C6D80EA20628EAE2AFCAE74410477AF7522AB7B00807A6DC991B372B8CDD99BE9F
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, Author: Joe Security
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, Author: unknown
            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, Author: Florian Roth
            • Rule: crimeware_njrat_strings, Description: Detects njRAT based on some strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, Author: Sekoia.io
            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, Author: JPCERT/CC Incident Response Group
            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe, Author: ditekSHen
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 86%
            • Antivirus: Virustotal, Detection: 71%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p..........N.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...To... ...p.................. ..`.reloc...............r..............@..B........................................................0.......H......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18f92744a712890ce1a5852179df81aaWindows Update.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\Server.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Roaming\app

            Download File
            Process:C:\Users\user\Desktop\Server.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
            Category:dropped
            Size (bytes):5
            Entropy (8bit):2.321928094887362
            Encrypted:false
            SSDEEP:3:g:g
            MD5:5014379CF5FA31DB8A73D68D6353A145
            SHA1:2A1A5138E8C9E7547CAAE1C9FB223AFBF714ED00
            SHA-256:538B830838CBF62E6CE267B48E2EB165030686E5B6317F0B1E9205A3E08C73B8
            SHA-512:5091A16EF7730449601A70B5EF5512A93C98C76BEB8CFEE1ADC9D39780C49B1D712E764720B04E44E18C7B08633C5D453793462C18DC6BEF14D82BF69892E18F
            Malicious:false
            Reputation:low
            Preview:.26

            \Device\ConDrv

            Download File
            Process:C:\Windows\SysWOW64\netsh.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):313
            Entropy (8bit):4.971939296804078
            Encrypted:false
            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
            MD5:689E2126A85BF55121488295EE068FA1
            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
            Malicious:false
            Reputation:high, very likely benign file
            Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):5.567043009046237
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:Server.exe
            File size:95'232 bytes
            MD5:b639b796e755ba9a04a6a5f2900fc084
            SHA1:e1f8a378c4b2c46c873ae77453399b1e9dc01b14
            SHA256:6d498dd502299432d28c52c34726738dac6f0466e12caf4240e09231a00b0d01
            SHA512:cc0e3c2fc6bbc0fc0c4b490d46090b7ab4bc3538784bcfbad46d93b064a938c6d80ea20628eae2afcae74410477af7522ab7b00807a6dc991b372b8cdd99be9f
            SSDEEP:1536:mU+8mGnrQr1EsOoYdsjEwzGi1dDmDFgS:mUvnrQr11r2i1doS
            TLSH:6E93D84977E56524E0BF56F79471F2015F34B48B1602E39E48F219EA0A33AC44F89FEA
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................p..........N.... ........@.. ....................................@................................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x418f4e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x67E30BB4 [Tue Mar 25 20:01:56 2025 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x18efc0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x16f540x17000e7ae314033e236a5c484db28d903d2faFalse0.368705417798913data5.598732992436973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .reloc0x1a0000xc0x200dddee5b48052d5dc59ff07bd5a224610False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Download Network PCAP: filteredfull

            TimestampSource PortDest PortSource IPDest IP
            Mar 26, 2025 19:43:44.116897106 CET5352868162.159.36.2192.168.2.5

            Statistics

            CPU Usage

            050100150200s020406080100

            Click to jump to process

            Memory Usage

            050100150200s0.00204060MB

            Click to jump to process

            High Level Behavior Distribution

            • File
            • Registry

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:14:42:59
            Start date:26/03/2025
            Path:C:\Users\user\Desktop\Server.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\Server.exe"
            Imagebase:0xf00000
            File size:95'232 bytes
            MD5 hash:B639B796E755BA9A04A6A5F2900FC084
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1289812590.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low
            Has exited:false
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            Process Token Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            General

            Target ID:1
            Start time:14:43:01
            Start date:26/03/2025
            Path:C:\Windows\SysWOW64\netsh.exe
            Wow64 process (32bit):true
            Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\Server.exe" "Server.exe" ENABLE
            Imagebase:0x970000
            File size:82'432 bytes
            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            General

            Target ID:2
            Start time:14:43:01
            Start date:26/03/2025
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7e2000000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            Show Windows behavior

            COM Activities

            Show Windows behavior

            Mutex Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            Show Windows behavior

            Windows UI Activities

            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Disassembly

            Execution Graph

            Execution Coverage

            Dynamic/Packed Code Coverage

            Signature Coverage

            Execution Coverage:14.9%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:11.3%
            Total number of Nodes:115
            Total number of Limit Nodes:4
            Show Legend
            Hide Nodes/Edges
            execution_graph 6719 14da6ce 6720 14da72e OleGetClipboard 6719->6720 6722 14da78c 6720->6722 6723 14db4c8 6724 14db4f6 SendMessageTimeoutA 6723->6724 6726 14db579 6724->6726 6538 14da65e 6539 14da68a CloseHandle 6538->6539 6540 14da6c0 6538->6540 6541 14da698 6539->6541 6540->6539 6727 14db2d9 6728 14db31a RegQueryValueExW 6727->6728 6730 14db3a3 6728->6730 6647 1731feb 6649 173200e GetProcessWorkingSetSize 6647->6649 6650 173206f 6649->6650 6731 17312d0 6733 17312f6 ConvertStringSecurityDescriptorToSecurityDescriptorW 6731->6733 6734 173136f 6733->6734 6576 14db06a 6577 14db0a2 CreateMutexW 6576->6577 6579 14db0e5 6577->6579 6651 17319d4 6654 17319e6 GetProcessTimes 6651->6654 6653 1731a79 6654->6653 6655 14db3ea 6656 14db40e RegSetValueExW 6655->6656 6658 14db48f 6656->6658 6659 14db1e6 6660 14db1ea RegOpenKeyExW 6659->6660 6662 14db2a0 6660->6662 6735 14dbee0 6736 14dbf00 K32EnumProcesses 6735->6736 6738 14dbf6e 6736->6738 6596 14db7e2 6598 14db80b CopyFileW 6596->6598 6599 14db832 6598->6599 6667 14dbbff 6668 14dbc09 AdjustTokenPrivileges 6667->6668 6670 14dbc87 6668->6670 6687 14daa75 6689 14daaa6 CreateFileW 6687->6689 6690 14dab2d 6689->6690 6691 14dae77 6692 14daeae WriteFile 6691->6692 6694 14daf15 6692->6694 6739 17320cf 6740 17320f2 SetProcessWorkingSetSize 6739->6740 6742 1732153 6740->6742 6639 14da573 6640 14da59a DuplicateHandle 6639->6640 6642 14da5e6 6640->6642 6743 14db885 6746 14db8aa DeleteFileW 6743->6746 6745 14db8ec 6746->6745 6675 14dbd81 6676 14dbdb2 NtQuerySystemInformation 6675->6676 6678 14dbdfc 6676->6678 6695 1731c3d 6696 1731c4b getaddrinfo 6695->6696 6698 1731d27 6696->6698 6699 14da61e 6700 14da65e CloseHandle 6699->6700 6702 14da698 6700->6702 6550 14da59a 6551 14da5d8 DuplicateHandle 6550->6551 6552 14da610 6550->6552 6553 14da5e6 6551->6553 6552->6551 6703 1731e2a 6704 1731e58 FormatMessageW 6703->6704 6706 1731ee2 6704->6706 6747 1730eaa 6749 1730eca WSASocketW 6747->6749 6750 1730f3e 6749->6750 6751 14dba96 6752 14dbab6 LookupPrivilegeValueW 6751->6752 6754 14dbb06 6752->6754 6557 14daa12 6558 14daa3e SetErrorMode 6557->6558 6559 14daa67 6557->6559 6560 14daa53 6558->6560 6559->6558 6572 14daeae 6575 14daee3 WriteFile 6572->6575 6574 14daf15 6575->6574 6643 1731f10 6645 1731f32 GetExitCodeProcess 6643->6645 6646 1731f90 6645->6646 6584 14db8aa 6587 14db8d0 DeleteFileW 6584->6587 6586 14db8ec 6587->6586 6592 14daaa6 6593 14daade CreateFileW 6592->6593 6595 14dab2d 6593->6595 6679 14da9bf 6682 14da9c9 SetErrorMode 6679->6682 6681 14daa53 6682->6681 6755 1731486 6757 17314a6 MapViewOfFile 6755->6757 6758 173152d 6757->6758 6683 14db7b5 6684 14db7e2 CopyFileW 6683->6684 6686 14db832 6684->6686 6707 14dac37 6708 14dac6a GetFileType 6707->6708 6710 14daccc 6708->6710 6615 14dbc36 6616 14dbc65 AdjustTokenPrivileges 6615->6616 6618 14dbc87 6616->6618 6711 14db036 6713 14db06a CreateMutexW 6711->6713 6714 14db0e5 6713->6714 6631 14dbdb2 6632 14dbde7 NtQuerySystemInformation 6631->6632 6633 14dbe12 6631->6633 6634 14dbdfc 6632->6634 6633->6632

            Executed Functions

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 1c74298-1c742c9 3 1c74352-1c7435a 0->3 4 1c742cf-1c74350 0->4 5 1c74366-1c7437a 3->5 4->3 31 1c7435c 4->31 6 1c74380-1c743bc 5->6 7 1c7452f-1c7467d 5->7 18 1c743be-1c743e6 6->18 19 1c743ed-1c744ef 6->19 44 1c74683-1c747d2 7->44 45 1c7480d-1c74821 7->45 18->19 19->7 31->5 44->45 47 1c74827-1c74934 45->47 48 1c7496f-1c74983 45->48 47->48 50 1c749d6-1c749ea 48->50 51 1c74985-1c7498b call 1c74210 48->51 54 1c74a32-1c74a46 50->54 55 1c749ec-1c749f7 50->55 60 1c74990-1c7499b 51->60 57 1c74b94-1c74ba8 54->57 58 1c74a4c-1c74b59 54->58 55->54 63 1c74cd4-1c74ce8 57->63 64 1c74bae-1c74bc2 57->64 58->57 60->50 70 1c74f74-1c74f88 63->70 71 1c74cee-1c74f22 63->71 68 1c74bc4-1c74bcb 64->68 69 1c74bd0-1c74be4 64->69 75 1c74c48-1c74c5c 68->75 76 1c74be6-1c74bed 69->76 77 1c74bef-1c74c03 69->77 78 1c74fe2-1c74ff6 70->78 79 1c74f8a-1c74f9b 70->79 548 1c74f2d 71->548 88 1c74c76-1c74c82 75->88 89 1c74c5e-1c74c74 75->89 76->75 82 1c74c05-1c74c0c 77->82 83 1c74c0e-1c74c22 77->83 85 1c75045-1c75059 78->85 86 1c74ff8-1c74ffe 78->86 79->78 82->75 94 1c74c24-1c74c2b 83->94 95 1c74c2d-1c74c41 83->95 90 1c750a2-1c750b6 85->90 91 1c7505b 85->91 86->85 103 1c74c8d 88->103 89->103 96 1c7512d-1c75141 90->96 97 1c750b8-1c750e1 90->97 91->90 94->75 95->75 99 1c74c43-1c74c45 95->99 107 1c75147-1c75363 96->107 108 1c753b4-1c753c8 96->108 97->96 99->75 103->63 495 1c75367 107->495 496 1c75365 107->496 114 1c7549e-1c754b2 108->114 115 1c753ce-1c753de 108->115 118 1c7566f-1c75683 114->118 119 1c754b8-1c75628 114->119 558 1c753e4 call 1530606 115->558 559 1c753e4 call 15305df 115->559 124 1c757e6-1c757fa 118->124 125 1c75689-1c7579f 118->125 119->118 131 1c75800-1c75916 124->131 132 1c7595d-1c75971 124->132 125->124 131->132 136 1c75977-1c75a8d 132->136 137 1c75ad4-1c75ae8 132->137 136->137 143 1c75aee-1c75c04 137->143 144 1c75c4b-1c75c5f 137->144 142 1c753ea-1c75450 225 1c75457 142->225 143->144 151 1c75c65-1c75d7b 144->151 152 1c75dc2-1c75dd6 144->152 151->152 163 1c75ddc-1c75ef2 152->163 164 1c75f39-1c75f4d 152->164 163->164 170 1c75f53-1c76069 164->170 171 1c760b0-1c760c4 164->171 170->171 179 1c76227-1c7623b 171->179 180 1c760ca-1c761e0 171->180 186 1c76241-1c76357 179->186 187 1c7639e-1c763b2 179->187 180->179 186->187 195 1c76536-1c7654a 187->195 196 1c763b8-1c763fd call 1c74278 187->196 210 1c76550-1c7656f 195->210 211 1c7668d-1c766a1 195->211 331 1c764bd-1c764df 196->331 235 1c76614-1c76636 210->235 213 1c766a7-1c767a7 211->213 214 1c767ee-1c76802 211->214 213->214 232 1c7694f-1c76963 214->232 233 1c76808-1c76908 214->233 225->114 240 1c76ab0-1c76ada 232->240 241 1c76969-1c76a69 232->241 233->232 251 1c76574-1c76583 235->251 252 1c7663c 235->252 263 1c76ae0-1c76b53 240->263 264 1c76b9a-1c76bae 240->264 241->240 260 1c7663e 251->260 261 1c76589-1c765bc 251->261 252->211 292 1c76643-1c7668b 260->292 351 1c76603-1c7660c 261->351 352 1c765be-1c765f8 261->352 263->264 276 1c76bb4-1c76c0b 264->276 277 1c76c8b-1c76c9f 264->277 402 1c76c12-1c76c44 276->402 284 1c76de5-1c76df9 277->284 285 1c76ca5-1c76d9e 277->285 298 1c76dff-1c76e4f 284->298 299 1c7705c-1c77070 284->299 285->284 292->211 413 1c76e51-1c76e77 298->413 414 1c76ebd-1c76ee8 298->414 317 1c77076-1c77111 call 1c74278 * 2 299->317 318 1c77158-1c7715f 299->318 317->318 336 1c764e5 331->336 337 1c76402-1c76411 331->337 336->195 358 1c764e7 337->358 359 1c76417-1c764b5 337->359 351->292 370 1c7660e 351->370 352->351 376 1c764ec-1c76534 358->376 359->376 487 1c764b7 359->487 370->235 376->195 402->277 488 1c76e79-1c76e99 413->488 489 1c76eb8 413->489 493 1c76fc6-1c77057 414->493 494 1c76eee-1c76fc1 414->494 487->331 488->489 489->299 493->299 494->299 556 1c75367 call 1c7717b 495->556 557 1c75367 call 1c771c8 495->557 499 1c7536d 496->499 499->108 548->70 556->499 557->499 558->142 559->142
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: @$\O"l$2"l
            • API String ID: 0-4205763654
            • Opcode ID: 579949a5330409ed0dcbb6493d26ccffe652a3acb098dbd7c56511b14cd66643
            • Instruction ID: d759e34a2e09bc53a4bac5143eb1a615c2694d597f50dbd9fc31e36c099ebcbf
            • Opcode Fuzzy Hash: 579949a5330409ed0dcbb6493d26ccffe652a3acb098dbd7c56511b14cd66643
            • Instruction Fuzzy Hash: 43235874A01228CFDB25DF24D964BE9B7B2FB49308F0040EAD919A7791DB799E85CF40
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: $\O"l$2"l
            • API String ID: 0-4099737112
            • Opcode ID: 3afb900ef3b6a516715216f34f9ef7e19138b3b756a4429d045c6482943f5edd
            • Instruction ID: 2c6ce1f372bd98b0e74c619e8473c508b51f0dee889ef5c2a95d6bf12519b382
            • Opcode Fuzzy Hash: 3afb900ef3b6a516715216f34f9ef7e19138b3b756a4429d045c6482943f5edd
            • Instruction Fuzzy Hash: B2135974A01228CFDB25DF25D964BE8BBB2FB49304F0040EAD919A7791DB799E85CF40
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: 2"l$}Xfk^
            • API String ID: 0-1076500745
            • Opcode ID: 950fe6f9f6e2797607c87827c2c7e43a57e44e5060070cf08894631a55f76eb0
            • Instruction ID: e74a40e70dd7a9946625c948a727baad63aa8f7beca46d464f7f6becc3257cdd
            • Opcode Fuzzy Hash: 950fe6f9f6e2797607c87827c2c7e43a57e44e5060070cf08894631a55f76eb0
            • Instruction Fuzzy Hash: FC422332600321CBDB29CB3AD85827CB7A2BF813547154539D5529B2E1EFBDED41CB91
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: L."l
            • API String ID: 0-568539168
            • Opcode ID: 7347ddeafd2df410f3f9a619961c5bf997d1c8de47525b3c41f1b8dcc3337b70
            • Instruction ID: 9c2653fec2090357e010b0aedc3ba9d0737023b70d49ae20c5f57c3f02d4f8f6
            • Opcode Fuzzy Hash: 7347ddeafd2df410f3f9a619961c5bf997d1c8de47525b3c41f1b8dcc3337b70
            • Instruction Fuzzy Hash: A6323131601322CBDB26DB36D49427DB6E2BF84254B15807AE455CB2D6EF7CDD82CB90
            APIs
            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 014DBC7F
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: AdjustPrivilegesToken
            • String ID:
            • API String ID: 2874748243-0
            • Opcode ID: b116f55026709b636514b146cee02bba5c094ee61d602847ed01d3ab64dd61d0
            • Instruction ID: ec397b649625f2ac0f6dc6d6bb873381705749cd80f45380a3a36535dbc5e291
            • Opcode Fuzzy Hash: b116f55026709b636514b146cee02bba5c094ee61d602847ed01d3ab64dd61d0
            • Instruction Fuzzy Hash: 5D21BF765097809FDB238F25DC54B52BFF4EF06310F0984DBE9858B263D6719808DB61
            APIs
            • NtQuerySystemInformation.NTDLL ref: 014DBDED
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: InformationQuerySystem
            • String ID:
            • API String ID: 3562636166-0
            • Opcode ID: cd0725acd42f3f720c1968aa3b0886c5a07dc4f7d33002c2bd75d92654f2175c
            • Instruction ID: fbd0b59181d55f39794fb50d97b4c0f243ab71933452f73b1297b1cfd8856891
            • Opcode Fuzzy Hash: cd0725acd42f3f720c1968aa3b0886c5a07dc4f7d33002c2bd75d92654f2175c
            • Instruction Fuzzy Hash: A9118B764093C09FDB228F14DC45A92FFF4EF46324F0984DAE9848B263D275A91CDB62
            APIs
            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 014DBC7F
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: AdjustPrivilegesToken
            • String ID:
            • API String ID: 2874748243-0
            • Opcode ID: a07748b33391018db5e3f6706bcae657cfbb5af2b229934a82755f8922e85752
            • Instruction ID: 4b3d0e2cefe895509004b02ad039f893d3ad8780b5004c262fdc33c9d1534d13
            • Opcode Fuzzy Hash: a07748b33391018db5e3f6706bcae657cfbb5af2b229934a82755f8922e85752
            • Instruction Fuzzy Hash: 26119E765002409FEB21CF55D884B66FBE4FF05620F08C8AEED858B762D771E418DB61
            APIs
            • NtQuerySystemInformation.NTDLL ref: 014DBDED
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: InformationQuerySystem
            • String ID:
            • API String ID: 3562636166-0
            • Opcode ID: d490c8f9e111f5819547851c75dd978d5e3404f282a29c070bb4abaff79475e6
            • Instruction ID: ed6893d33e4883fac850608acbe24434ef3aa06dd4a0c18ec28bd7406892d7e1
            • Opcode Fuzzy Hash: d490c8f9e111f5819547851c75dd978d5e3404f282a29c070bb4abaff79475e6
            • Instruction Fuzzy Hash: 54018B364002409FDB218F05DD85B66FBE0EF49224F08C49ADE894B762D375A429CF62

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1128 1c700b8-1c700cd 1157 1c700d0 call 14da20c 1128->1157 1158 1c700d0 call 1530606 1128->1158 1159 1c700d0 call 14da23a 1128->1159 1160 1c700d0 call 15305df 1128->1160 1130 1c700d5-1c700f7 1133 1c7010b-1c701d5 1130->1133 1134 1c700f9-1c7010a 1130->1134 1152 1c701d5 call 1530606 1133->1152 1153 1c701d5 call 1c737e1 1133->1153 1154 1c701d5 call 1c739bf 1133->1154 1155 1c701d5 call 15305df 1133->1155 1156 1c701d5 call 1c73b18 1133->1156 1151 1c701db-1c701de 1152->1151 1153->1151 1154->1151 1155->1151 1156->1151 1157->1130 1158->1130 1159->1130 1160->1130
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: 2"l$2"l$5]fk^$E]fk^
            • API String ID: 0-2178416371
            • Opcode ID: 149b88a8f76bb2a91c7a0d0e6c770d2c167dcee0f3429cffff8a8925a15316c8
            • Instruction ID: 9c6510ce55cee86b4a3cd9a12425f5375aa28c1569990d7d3d38dbb156132d1b
            • Opcode Fuzzy Hash: 149b88a8f76bb2a91c7a0d0e6c770d2c167dcee0f3429cffff8a8925a15316c8
            • Instruction Fuzzy Hash: D731F2317043945FD7069B7598607BE7BA7ABC3208B0484AEE441CF792DF799C098791

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1161 1c70118-1c70169 1168 1c70174-1c7017a 1161->1168 1169 1c70181-1c701bd 1168->1169 1174 1c701c8-1c701d5 1169->1174 1177 1c701d5 call 1530606 1174->1177 1178 1c701d5 call 1c737e1 1174->1178 1179 1c701d5 call 1c739bf 1174->1179 1180 1c701d5 call 15305df 1174->1180 1181 1c701d5 call 1c73b18 1174->1181 1176 1c701db-1c701de 1177->1176 1178->1176 1179->1176 1180->1176 1181->1176
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: 2"l$2"l$5]fk^$E]fk^
            • API String ID: 0-2178416371
            • Opcode ID: fe4db39be80a37b7c966e1a65c7f054af2e8ace64521095528515a049199a8ee
            • Instruction ID: c37d1c85b3f4267d7b911300f13c46415dee0581440d0776e145a7b4ec857c0f
            • Opcode Fuzzy Hash: fe4db39be80a37b7c966e1a65c7f054af2e8ace64521095528515a049199a8ee
            • Instruction Fuzzy Hash: D711A0317002944FD716EB79A4607FD67EBABD3208748446EE001CFB52DFB98C098B92

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1438 1c737e1-1c73802 1439 1c73805-1c73806 1438->1439 1440 1c73804 1438->1440 1441 1c73809-1c73911 1439->1441 1442 1c73808 1439->1442 1440->1439 1459 1c73917-1c73919 1441->1459 1460 1c73913 1441->1460 1442->1441 1463 1c73920-1c73927 1459->1463 1461 1c73915 1460->1461 1462 1c7391b 1460->1462 1461->1459 1462->1463 1464 1c739bd-1c73adf 1463->1464 1465 1c7392d-1c739b2 1463->1465 1489 1c73ae1-1c73b51 1464->1489 1490 1c73b5b-1c73bae 1464->1490 1465->1464 1489->1490 1498 1c73bb5 1490->1498 1499 1c73bb0 1490->1499 1578 1c73bb5 call 1530606 1498->1578 1579 1c73bb5 call 15305df 1498->1579 1580 1c73bb5 call 1c74269 1498->1580 1581 1c73bb5 call 1c74298 1498->1581 1499->1498 1500 1c73bbb-1c73bcf 1501 1c73c06-1c73cbb 1500->1501 1502 1c73bd1-1c73bfb 1500->1502 1513 1c73d43 1501->1513 1514 1c73cc1-1c73cff 1501->1514 1502->1501 1515 1c741dd-1c741e8 1513->1515 1514->1513 1517 1c741ee-1c741f5 1515->1517 1518 1c73d48-1c73d66 1515->1518 1521 1c73d71 1518->1521 1522 1c73d68-1c73d6e 1518->1522 1524 1c73d76-1c73d7c 1521->1524 1522->1521 1525 1c74193-1c741db 1524->1525 1526 1c73d82-1c73d96 1524->1526 1525->1515 1528 1c73e0e-1c73e1f 1526->1528 1529 1c73d98-1c73dca 1526->1529 1531 1c73e21-1c73e4b 1528->1531 1532 1c73e6f-1c73e7d 1528->1532 1529->1528 1531->1532 1542 1c73e4d-1c73e67 1531->1542 1534 1c73e83-1c73f36 1532->1534 1535 1c74191 1532->1535 1555 1c73fc6-1c740bd 1534->1555 1556 1c73f3c-1c73fbf 1534->1556 1535->1515 1542->1532 1571 1c740c3-1c74146 1555->1571 1572 1c7414d 1555->1572 1556->1555 1571->1572 1572->1535 1578->1500 1579->1500 1580->1500 1581->1500
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: \O"l$2"l
            • API String ID: 0-954685956
            • Opcode ID: 1c9775e0f68db2a26e871d3c581de5de547c58e68fe2abcae730b157e019d125
            • Instruction ID: 3ea9c0d3effa1a5119ad4a0f35a321630dcf4c88c1ab74d491070094b6f3ab08
            • Opcode Fuzzy Hash: 1c9775e0f68db2a26e871d3c581de5de547c58e68fe2abcae730b157e019d125
            • Instruction Fuzzy Hash: 22322430A00258CFDB24DF74D854BEDBBB2EB49308F1041AAD509AB794EB799E85CF40

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1941 1731c3d-1731c49 1942 1731c53-1731d17 1941->1942 1943 1731c4b-1731c51 1941->1943 1949 1731d69-1731d6e 1942->1949 1950 1731d19-1731d21 getaddrinfo 1942->1950 1943->1942 1949->1950 1951 1731d27-1731d39 1950->1951 1953 1731d70-1731d75 1951->1953 1954 1731d3b-1731d66 1951->1954 1953->1954
            APIs
            • getaddrinfo.WS2_32(?,00000E24), ref: 01731D1F
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: getaddrinfo
            • String ID:
            • API String ID: 300660673-0
            • Opcode ID: b67e38abd7d6c8e6c1c0c006b3ef2c4980ec719d41c19f8284e7e178aaf91670
            • Instruction ID: a66803a7f6f6ce366017e783f8f31b14439c569d834542e64132c44df1a90d56
            • Opcode Fuzzy Hash: b67e38abd7d6c8e6c1c0c006b3ef2c4980ec719d41c19f8284e7e178aaf91670
            • Instruction Fuzzy Hash: 3331C3B2504380AFE722DB60DC44FA6FFA8EF06314F0444DAE9449B292D375A949CB71

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1958 1730db7-1730dd7 1959 1730df9-1730e2b 1958->1959 1960 1730dd9-1730df8 1958->1960 1964 1730e2e-1730e86 RegQueryValueExW 1959->1964 1960->1959 1966 1730e8c-1730ea2 1964->1966
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 01730E7E
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: aa700aad644fd0abdd433871bed3426c7aef0f82e651c997c8fb1d8cf7dc64c9
            • Instruction ID: c0b9c4014d291e859d0c85e1a08c7bc5c48be4c9d37adac09264c9f1575f86c2
            • Opcode Fuzzy Hash: aa700aad644fd0abdd433871bed3426c7aef0f82e651c997c8fb1d8cf7dc64c9
            • Instruction Fuzzy Hash: F0316D6510E3C06FD3138B258C65A61BFB4EF87610B0E45CBE8C49F6A3D6296919C7B2

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1967 14db1e6-14db1e8 1968 14db1ea-14db1f1 1967->1968 1969 14db1f2-14db26d 1967->1969 1968->1969 1973 14db26f 1969->1973 1974 14db272-14db289 1969->1974 1973->1974 1976 14db2cb-14db2d0 1974->1976 1977 14db28b-14db29e RegOpenKeyExW 1974->1977 1976->1977 1978 14db2a0-14db2c8 1977->1978 1979 14db2d2-14db2d7 1977->1979 1979->1978
            APIs
            • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 014DB291
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: Open
            • String ID:
            • API String ID: 71445658-0
            • Opcode ID: e761ab240f49061189beede00e9ab045f436693617ef574a995d84effa4ee8f2
            • Instruction ID: 372eccd25d0c6d98a9ebfdbb026db69385a8d45d19083f355a440e206c2adacc
            • Opcode Fuzzy Hash: e761ab240f49061189beede00e9ab045f436693617ef574a995d84effa4ee8f2
            • Instruction Fuzzy Hash: 623184725093846FD7228B65DC55FABBFB8EF06210F08849BE984DB663D364A40DC771

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1984 14daa75-14daafe 1988 14dab00 1984->1988 1989 14dab03-14dab0f 1984->1989 1988->1989 1990 14dab14-14dab1d 1989->1990 1991 14dab11 1989->1991 1992 14dab1f-14dab43 CreateFileW 1990->1992 1993 14dab6e-14dab73 1990->1993 1991->1990 1996 14dab75-14dab7a 1992->1996 1997 14dab45-14dab6b 1992->1997 1993->1992 1996->1997
            APIs
            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014DAB25
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: cb20efd358b526cbec0fbc9195497523322c96ef1dff2c9b13f44d0ad11ad505
            • Instruction ID: 6299c56cff2d63daadc20cf4d3b8b52fe7b3fc5fbd759da3a4f7f71f53ae7b34
            • Opcode Fuzzy Hash: cb20efd358b526cbec0fbc9195497523322c96ef1dff2c9b13f44d0ad11ad505
            • Instruction Fuzzy Hash: 6A316071505380AFE722CF65DC85F56BFF8EF05210F08889EE9858B662D375E809CB61

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2016 14db2d9-14db357 2019 14db35c-14db365 2016->2019 2020 14db359 2016->2020 2021 14db36a-14db370 2019->2021 2022 14db367 2019->2022 2020->2019 2023 14db375-14db38c 2021->2023 2024 14db372 2021->2024 2022->2021 2026 14db38e-14db3a1 RegQueryValueExW 2023->2026 2027 14db3c3-14db3c8 2023->2027 2024->2023 2028 14db3ca-14db3cf 2026->2028 2029 14db3a3-14db3c0 2026->2029 2027->2026 2028->2029
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DB394
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: fc1f9f70a5106e6b9962ee55a38ec272469a53fcd627d7650d01198852475c6d
            • Instruction ID: 46d9ca030b659a9bee7db55689e1227a58da4724a196fee2e5a84978c18ee06b
            • Opcode Fuzzy Hash: fc1f9f70a5106e6b9962ee55a38ec272469a53fcd627d7650d01198852475c6d
            • Instruction Fuzzy Hash: 9131A1765053806FEB22CB65CC44F97BFE8EF06214F09849AE9858B263D664E54CCB61

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2000 14db036-14db0b9 2004 14db0be-14db0c7 2000->2004 2005 14db0bb 2000->2005 2006 14db0cc-14db0d5 2004->2006 2007 14db0c9 2004->2007 2005->2004 2008 14db0d7-14db0fb CreateMutexW 2006->2008 2009 14db126-14db12b 2006->2009 2007->2006 2012 14db12d-14db132 2008->2012 2013 14db0fd-14db123 2008->2013 2009->2008 2012->2013
            APIs
            • CreateMutexW.KERNELBASE(?,?), ref: 014DB0DD
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CreateMutex
            • String ID:
            • API String ID: 1964310414-0
            • Opcode ID: ea7134c3ddc550b54377d7f46707165485182a49f41aeeb16b271223610749ea
            • Instruction ID: efc4fa48c643a517e7eaf97a5096fc53a47429cf33f39dcd8f338d0230e74c4c
            • Opcode Fuzzy Hash: ea7134c3ddc550b54377d7f46707165485182a49f41aeeb16b271223610749ea
            • Instruction Fuzzy Hash: 103193B55093805FE712CB25DC55B96BFF8EF06210F09849BE984CB293D375E908CB62

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2033 17312d0-1731351 2037 1731353 2033->2037 2038 1731356-173135f 2033->2038 2037->2038 2039 1731361-1731369 ConvertStringSecurityDescriptorToSecurityDescriptorW 2038->2039 2040 17313b7-17313bc 2038->2040 2042 173136f-1731381 2039->2042 2040->2039 2043 1731383-17313b4 2042->2043 2044 17313be-17313c3 2042->2044 2044->2043
            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 01731367
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: DescriptorSecurity$ConvertString
            • String ID:
            • API String ID: 3907675253-0
            • Opcode ID: 5c1c66bb69954541143132fbbc6a46e611e15c8166c395663f82192da902e6c8
            • Instruction ID: f86bbbae0158c98db8249f7c884d52511a1805607531f66a18fb88c265785ddc
            • Opcode Fuzzy Hash: 5c1c66bb69954541143132fbbc6a46e611e15c8166c395663f82192da902e6c8
            • Instruction Fuzzy Hash: BC317372504384AFE721CF65DC45FA7FFE8EF45610F0884AAE944DB652D364E809CB61

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2048 17319d4-1731a69 2054 1731ab6-1731abb 2048->2054 2055 1731a6b-1731a73 GetProcessTimes 2048->2055 2054->2055 2056 1731a79-1731a8b 2055->2056 2058 1731abd-1731ac2 2056->2058 2059 1731a8d-1731ab3 2056->2059 2058->2059
            APIs
            • GetProcessTimes.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 01731A71
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: ProcessTimes
            • String ID:
            • API String ID: 1995159646-0
            • Opcode ID: 1b3875ba9912cbd7a351a7640b2c76f4c80c7becc08051a74bb436874a6c5a84
            • Instruction ID: f4eadf9e0441d5639d165b072496214c622c5c306bec78e46afdab1998c1f886
            • Opcode Fuzzy Hash: 1b3875ba9912cbd7a351a7640b2c76f4c80c7becc08051a74bb436874a6c5a84
            • Instruction Fuzzy Hash: 682106725057806FD712CF50DC45B96BFB8EF46310F08849BE984CB193D324A909CB75

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2062 1731e2a-1731e87 2064 1731e8a-1731edc FormatMessageW 2062->2064 2066 1731ee2-1731f0b 2064->2066
            APIs
            • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 01731EDA
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: FormatMessage
            • String ID:
            • API String ID: 1306739567-0
            • Opcode ID: 446facb16f242ba82349ee7d532ce55233a495e39ec0a8374719445db794af27
            • Instruction ID: e84ab98de13dd5a895cdd95a4939b15e818ced99f1a183f171fc881d446bbae0
            • Opcode Fuzzy Hash: 446facb16f242ba82349ee7d532ce55233a495e39ec0a8374719445db794af27
            • Instruction Fuzzy Hash: BB318F7154D3C45FD3138B658C65B66BFB4EF87610F0A80DBD884CF2A3D6246919C7A2

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2068 14da6ce-14da72b 2069 14da72e-14da786 OleGetClipboard 2068->2069 2071 14da78c-14da7a2 2069->2071
            APIs
            • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 014DA77E
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: Clipboard
            • String ID:
            • API String ID: 220874293-0
            • Opcode ID: ab389fe276b00c942dcbf0df013bbc3e3622c2bf6db4d487f9577c7d562f17e9
            • Instruction ID: 6e5fc7ddbb56c2913bb317f639305a18a17387ea58910ccb87c8d2c2d2b9117b
            • Opcode Fuzzy Hash: ab389fe276b00c942dcbf0df013bbc3e3622c2bf6db4d487f9577c7d562f17e9
            • Instruction Fuzzy Hash: 2231717514D3C06FD3138B259C61B61BFB4EF87610F0A40DBD884CB6A3D2256819D772

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 2072 1731c7a-1731d17 2077 1731d69-1731d6e 2072->2077 2078 1731d19-1731d21 getaddrinfo 2072->2078 2077->2078 2079 1731d27-1731d39 2078->2079 2081 1731d70-1731d75 2079->2081 2082 1731d3b-1731d66 2079->2082 2081->2082
            APIs
            • getaddrinfo.WS2_32(?,00000E24), ref: 01731D1F
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: getaddrinfo
            • String ID:
            • API String ID: 300660673-0
            • Opcode ID: 3326737bf503638de7e521075047aeaa08da45fce5268d97d820c415b8e5ae24
            • Instruction ID: fc0ce0c31184ebf219575a2ca744904e7fa091995f08145ef49e0ebc28d2758a
            • Opcode Fuzzy Hash: 3326737bf503638de7e521075047aeaa08da45fce5268d97d820c415b8e5ae24
            • Instruction Fuzzy Hash: A821D371100200AEFB21DF60DC45FAAFBACEF44714F04885AFA499A681D775A54C8B75
            APIs
            • SendMessageTimeoutA.USER32(?,00000E24), ref: 014DB571
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: MessageSendTimeout
            • String ID:
            • API String ID: 1599653421-0
            • Opcode ID: 5712f7802cf91ee18c7622cd2ff6dce9bc46c34b4dc30a6f5ad878e0e4f9ce1a
            • Instruction ID: 81d686ee03ca698ad3f50f03f2f570e042b4072cfd93115fe981c4c57aab3941
            • Opcode Fuzzy Hash: 5712f7802cf91ee18c7622cd2ff6dce9bc46c34b4dc30a6f5ad878e0e4f9ce1a
            • Instruction Fuzzy Hash: 7621F672104780AFEB228F51DC54FA7FFB8EF46310F08849AF9858B662D375A418CB65
            APIs
            • WriteFile.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DAF0D
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: FileWrite
            • String ID:
            • API String ID: 3934441357-0
            • Opcode ID: aaf99aff9f6b7124881f933555c0dd3222d2f99511926fe40d9313e06ef578b7
            • Instruction ID: 942360c395a188486068d3109a0dcdad770f8f25c05b94921d6b67a90dd198ed
            • Opcode Fuzzy Hash: aaf99aff9f6b7124881f933555c0dd3222d2f99511926fe40d9313e06ef578b7
            • Instruction Fuzzy Hash: 6D2191B2409380AFDB22CB51DD44F96BFB8EF46314F0984DBE9849B1A3D274A50CCB65
            APIs
            • RegSetValueExW.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DB480
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: Value
            • String ID:
            • API String ID: 3702945584-0
            • Opcode ID: b60235005febee717772c8d83ca07595e5a75ca7b72ea6c22c174122533dadad
            • Instruction ID: d4686bc2f0d99db973e66f4591d1d3dd61ec409a980e408326a62983f7e6b178
            • Opcode Fuzzy Hash: b60235005febee717772c8d83ca07595e5a75ca7b72ea6c22c174122533dadad
            • Instruction Fuzzy Hash: 5D21AE765047806FDB22CF15DC44FA7BFB8EF46220F08849AE9858B262D264E808CB75
            APIs
            • WSASocketW.WS2_32(?,?,?,?,?), ref: 01730F36
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: Socket
            • String ID:
            • API String ID: 38366605-0
            • Opcode ID: 04adeb4b4417c95ec1cd8a32d1cc0c45672e049459a70af1164a73fc51b84a2b
            • Instruction ID: 8b62734308af53794fc1cbdbbfe7c18b5e1441791ae68371bc5a2aef97189d67
            • Opcode Fuzzy Hash: 04adeb4b4417c95ec1cd8a32d1cc0c45672e049459a70af1164a73fc51b84a2b
            • Instruction Fuzzy Hash: 84218D71509380AFE722CF55DC49F96FFF8EF45220F08889EE9858B652D375A408CB62
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: FileView
            • String ID:
            • API String ID: 3314676101-0
            • Opcode ID: c73e7fbd8b7f2ef96355da2ab9b985b1555c17cf512d08cad359e251c5700bd2
            • Instruction ID: e85df837f353f5eca991ff9d218527817d6fe7cecbe8e35941720301fe2e9910
            • Opcode Fuzzy Hash: c73e7fbd8b7f2ef96355da2ab9b985b1555c17cf512d08cad359e251c5700bd2
            • Instruction Fuzzy Hash: 7B21AD72505380AFE722CB55CC44F96FBF8EF49224F08849AE9858B292D365A508CB66
            APIs
            • K32EnumProcesses.KERNEL32(?,?,?,AC92A64E,00000000,?,?,?,?,?,?,?,?,6CB53C58), ref: 014DBF66
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: EnumProcesses
            • String ID:
            • API String ID: 84517404-0
            • Opcode ID: 9a51a8149a5f9e5bc08b3cf747eec6f9c61b52af24db434ab09e7243a3187b0a
            • Instruction ID: d3ca77875d2f78ebed1e10962e229ec7d1713b07a3005bfc7d2d1c3b5ff60dbe
            • Opcode Fuzzy Hash: 9a51a8149a5f9e5bc08b3cf747eec6f9c61b52af24db434ab09e7243a3187b0a
            • Instruction Fuzzy Hash: FA216D715093C09FDB138B65DC55A92BFB4EF47210F0E84DBD984CB1A3D2259918CB61
            APIs
            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 014DAB25
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 9603e7fc71410ab18bfcc4529cd5dca28bd903ce5502667c0039ebba769c09ee
            • Instruction ID: 71608c39b35060abcbf68550c32d901522636c294cf0797a5016145acfda3f74
            • Opcode Fuzzy Hash: 9603e7fc71410ab18bfcc4529cd5dca28bd903ce5502667c0039ebba769c09ee
            • Instruction Fuzzy Hash: EC219271600240AFEB21CF65DC45F6AFBE8EF04314F18885AEA458B761D775E409CB75
            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 01731367
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: DescriptorSecurity$ConvertString
            • String ID:
            • API String ID: 3907675253-0
            • Opcode ID: 97a4ca6284ff180fecb0e3656c47879b84cf6055aaef5470573e1d6fd74c5054
            • Instruction ID: 7c4d610ed74926bdd4ef122cef6354638df821ba51eef73b67ac21703f1b93c1
            • Opcode Fuzzy Hash: 97a4ca6284ff180fecb0e3656c47879b84cf6055aaef5470573e1d6fd74c5054
            • Instruction Fuzzy Hash: 1B21D472600244AFE721DF25DC45FABFBECEF44614F08846AE944DBA52D774E4088A71
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 0173127C
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: f4b9f777cebdbf2b1053efcd368b2f0dd7943447ef71d61be1078e60f6ba34b2
            • Instruction ID: 57e02b355ada1a81958df505dc2bad750fd1f3805762225b10905cfd22ce9e82
            • Opcode Fuzzy Hash: f4b9f777cebdbf2b1053efcd368b2f0dd7943447ef71d61be1078e60f6ba34b2
            • Instruction Fuzzy Hash: 8F21A3B2508780AFE722CB55CC44F57FFF8AF45310F08849AE945DB292D364E808CB65
            APIs
            • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 014DB291
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: Open
            • String ID:
            • API String ID: 71445658-0
            • Opcode ID: f9893208331bf1efbc0a67c82cb03f4e9a2bb263fac2776b1071fc40f5e5c08c
            • Instruction ID: db95534b366f3fcdbc2b9314256299de89a08c408c2831f38bfdd8f314755b44
            • Opcode Fuzzy Hash: f9893208331bf1efbc0a67c82cb03f4e9a2bb263fac2776b1071fc40f5e5c08c
            • Instruction Fuzzy Hash: 2E21F376500204AEEB21CF55DC48FABFBECEF05314F08845AE9458B752D774E40C8AB6
            APIs
            • GetFileType.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DACBD
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: FileType
            • String ID:
            • API String ID: 3081899298-0
            • Opcode ID: 6e2c670b90fbc6d2e9145e78da5c6b9e0e5eae5cb6ba7805d8f2d73982b15430
            • Instruction ID: 240d1d8e568804b25eaeee23e3e187c287505f14ff3ac9415380370f5f98e7b0
            • Opcode Fuzzy Hash: 6e2c670b90fbc6d2e9145e78da5c6b9e0e5eae5cb6ba7805d8f2d73982b15430
            • Instruction Fuzzy Hash: DD21D8B54093C06FE7128B11DC50BA6BFB8DF46724F0880D7E9848B293D264A90DD776
            APIs
            • GetProcessWorkingSetSize.KERNEL32(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 01732067
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: e450052e65b07f07daff59937c1975e49c71bdc94dc78020b4c11107e3cca348
            • Instruction ID: 4389fb6c059b52ad53edf3c86bf938989b16f17061eca0920c61914ca3e22e02
            • Opcode Fuzzy Hash: e450052e65b07f07daff59937c1975e49c71bdc94dc78020b4c11107e3cca348
            • Instruction Fuzzy Hash: 0821C2725043806FD722CB25DC45FABFFA8EF45220F0884AAE944CB252D374A808CB66
            APIs
            • SetProcessWorkingSetSize.KERNEL32(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 0173214B
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: e450052e65b07f07daff59937c1975e49c71bdc94dc78020b4c11107e3cca348
            • Instruction ID: a3601fc25168c5d6e83980344b1dc265f1de707e747dbcda4cb0046b2795bf36
            • Opcode Fuzzy Hash: e450052e65b07f07daff59937c1975e49c71bdc94dc78020b4c11107e3cca348
            • Instruction Fuzzy Hash: 6421D4765043806FD722CF15DC45FABFFA8EF45220F0884ABE944CB252D374A808CBA6
            APIs
            • CreateMutexW.KERNELBASE(?,?), ref: 014DB0DD
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CreateMutex
            • String ID:
            • API String ID: 1964310414-0
            • Opcode ID: 6812c340dcccb1d0cccd2c1c1e114d04864f0d13d54390c56f7d03ebeafe37f5
            • Instruction ID: a3bf825a6da0a22107ae8dcc0f322371415f24fa6dbab28d2297037db468ba5c
            • Opcode Fuzzy Hash: 6812c340dcccb1d0cccd2c1c1e114d04864f0d13d54390c56f7d03ebeafe37f5
            • Instruction Fuzzy Hash: 3B21C2B16012409FEB21DF25DC45BAAFBE8EF05214F08846AE9458B751D774E408CB76
            APIs
            • GetExitCodeProcess.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 01731F88
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: CodeExitProcess
            • String ID:
            • API String ID: 3861947596-0
            • Opcode ID: e177074418f52314c8e336999b8469320b56c132b9dc3868d6212e8748f53188
            • Instruction ID: ab085764bb19331e994985549ddf867bc3d943156b08c6c5b39352a63e2f1f60
            • Opcode Fuzzy Hash: e177074418f52314c8e336999b8469320b56c132b9dc3868d6212e8748f53188
            • Instruction Fuzzy Hash: B721C3725053846FE712CB55DC45FAAFFA8EF45320F0884AAE945CB292D364A908CB65
            APIs
            • SetErrorMode.KERNELBASE(?), ref: 014DAA44
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: 55b5420da7707e8fe43005aeeb4ebea56d31412dd6efd5889d9e59e019be8792
            • Instruction ID: 68876bd751d0494d1926d7f7c648a32ab541c353608caf4306871c37161dbe38
            • Opcode Fuzzy Hash: 55b5420da7707e8fe43005aeeb4ebea56d31412dd6efd5889d9e59e019be8792
            • Instruction Fuzzy Hash: 8A215C6540E7C09FD7138B259D60A52BFB4EF43620F0E81DBD8848F6A3C268580CCB72
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DB394
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 169a2c52bf136977e95f6c8f3a48846db77f1196e8a7772bb35d08a30327be4b
            • Instruction ID: f56f7c6fe57b2370e80dfe81bf3c46f90c7a9fca1606e3652f25cbbb9225e9d1
            • Opcode Fuzzy Hash: 169a2c52bf136977e95f6c8f3a48846db77f1196e8a7772bb35d08a30327be4b
            • Instruction Fuzzy Hash: 39219D76600240AEEB21CF55CC44FA7BBE8EF05610F08845AED458B761DB70E808DAB1
            APIs
            • CopyFileW.KERNELBASE(?,?,?), ref: 014DB82A
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CopyFile
            • String ID:
            • API String ID: 1304948518-0
            • Opcode ID: 541d1dbf56b9e4df011687acddb5c05ad84e511977db8ebba29d01aafc9df760
            • Instruction ID: 729be70b64be38561d83036dcb51211e10949bc3b64a9bd496017feead15767a
            • Opcode Fuzzy Hash: 541d1dbf56b9e4df011687acddb5c05ad84e511977db8ebba29d01aafc9df760
            • Instruction Fuzzy Hash: 752181725053809FDB22CF29DC55B93BFE8EF46610F0884DAED85CB262D675E408CB61
            APIs
            • WSASocketW.WS2_32(?,?,?,?,?), ref: 01730F36
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: Socket
            • String ID:
            • API String ID: 38366605-0
            • Opcode ID: cb9c4e484bfcd8c38696d130ba391a0754801542a196318dfec33f1b2bfa4667
            • Instruction ID: dee94fbc701bf5b9ad20defcb2f32c11a3412a5b401d8fb23d63455b9e634afa
            • Opcode Fuzzy Hash: cb9c4e484bfcd8c38696d130ba391a0754801542a196318dfec33f1b2bfa4667
            • Instruction Fuzzy Hash: 6D21A171500240AFEB21CF55DC45BAAFBE4EF48324F08889EF9858B652D375E418CB76
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: FileView
            • String ID:
            • API String ID: 3314676101-0
            • Opcode ID: c3e2618a0ef5144185ec443b2210add70bf3f1d4b512f95967c47313395ece52
            • Instruction ID: f5484c262b801c8084cc84c86aae5e29409d0f0c203f76d2bc6bcbb463e6f69d
            • Opcode Fuzzy Hash: c3e2618a0ef5144185ec443b2210add70bf3f1d4b512f95967c47313395ece52
            • Instruction Fuzzy Hash: B721F372500240AFE721CF15CC45F9AFBE8EF48324F088499E9468B692D375E40CCB76
            APIs
            • SendMessageTimeoutA.USER32(?,00000E24), ref: 014DB571
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: MessageSendTimeout
            • String ID:
            • API String ID: 1599653421-0
            • Opcode ID: c904bd833b8b5b9fd7d7577ca3344bf93fe3c8352be0132b1ae249cb77e768e7
            • Instruction ID: 56431411fb426bac1514f83cc6555cf9cb63da062f6a182e6489cafa7eb4b541
            • Opcode Fuzzy Hash: c904bd833b8b5b9fd7d7577ca3344bf93fe3c8352be0132b1ae249cb77e768e7
            • Instruction Fuzzy Hash: 7921E176500600AFEB31CF51DC41FAAFBE8EF04714F08885AEE459A6A1D375E418CBB5
            APIs
            • RegSetValueExW.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DB480
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: Value
            • String ID:
            • API String ID: 3702945584-0
            • Opcode ID: 651a6d8acff959c2b8108e1300a3a464c7b4777cb5ac21ee6aa00f7de2c0d3c6
            • Instruction ID: 7ce3800143766135d177d1f3d250485fa88eb329636cedbc532e572f1c9d0fe7
            • Opcode Fuzzy Hash: 651a6d8acff959c2b8108e1300a3a464c7b4777cb5ac21ee6aa00f7de2c0d3c6
            • Instruction Fuzzy Hash: C211D376600644AFEB21CF15DC41FA7FBECEF05614F08846AED458A762D774E408CAB5
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 0173127C
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 06cd8be0f8a9776688498a2e1ab54c13b2935d44b68fabbfd941e54ec6b77ca7
            • Instruction ID: 8e34001a2d2639fad1c311545492c5969a5213116f7d6e6bc9739bc56f537c5a
            • Opcode Fuzzy Hash: 06cd8be0f8a9776688498a2e1ab54c13b2935d44b68fabbfd941e54ec6b77ca7
            • Instruction Fuzzy Hash: 7611B1B6604644AFE721CF15CC84FA7FBE8EF88720F08845AE945CB652D760E408CAB5
            APIs
            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 014DBAFE
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: LookupPrivilegeValue
            • String ID:
            • API String ID: 3899507212-0
            • Opcode ID: b68cac7fd11c6916286515e495951201aee110b84d6c621f824cfc6d6ee86432
            • Instruction ID: be40b6d80f5f0c7140facbe1fe39f613958e9f54c6c3f18244f0ff7e3447ebcf
            • Opcode Fuzzy Hash: b68cac7fd11c6916286515e495951201aee110b84d6c621f824cfc6d6ee86432
            • Instruction Fuzzy Hash: 531151726043809FDB21CF19DC55B53BFE8EF46620F0884AAED85DB752D275E808CB61
            APIs
            • GetProcessTimes.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 01731A71
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: ProcessTimes
            • String ID:
            • API String ID: 1995159646-0
            • Opcode ID: d161cf1a660c4a9daec4b554a2ffc1035719365bbbaf7b4e896f139b73e40e9a
            • Instruction ID: d694648510b5ded18a10c25557cf9f23c9c9333f3677e5188211afa9f1c4b276
            • Opcode Fuzzy Hash: d161cf1a660c4a9daec4b554a2ffc1035719365bbbaf7b4e896f139b73e40e9a
            • Instruction Fuzzy Hash: D211E272600240AFEB21CF55DC45FAAFBE8EF44324F08C46AE9458B652D774E508CBB6
            APIs
            • GetProcessWorkingSetSize.KERNEL32(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 01732067
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: 22c56e7378e0bc47a25c0b5bd84ed8e64ce9ed27f2c780736beb17f76584acb2
            • Instruction ID: 7666ab3467333a2ddb6a5e5a6f9db9a32ffba704bf1dbf72e9dcc9c4ec6cc5a4
            • Opcode Fuzzy Hash: 22c56e7378e0bc47a25c0b5bd84ed8e64ce9ed27f2c780736beb17f76584acb2
            • Instruction Fuzzy Hash: DA11C4766002409FE721CF55DC45BAAF7E8EF44324F08846AED45CB652D774E40CCAB6
            APIs
            • SetProcessWorkingSetSize.KERNEL32(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 0173214B
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: ProcessSizeWorking
            • String ID:
            • API String ID: 3584180929-0
            • Opcode ID: 22c56e7378e0bc47a25c0b5bd84ed8e64ce9ed27f2c780736beb17f76584acb2
            • Instruction ID: df349bcc4b682cd0752666c5728b45083db841ffc1e2f03f619e8a49f54bd786
            • Opcode Fuzzy Hash: 22c56e7378e0bc47a25c0b5bd84ed8e64ce9ed27f2c780736beb17f76584acb2
            • Instruction Fuzzy Hash: 17110476500240AFE721CF14DD45BABFBE8EF44324F08846AEE05CB652D774A4088AB5
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DA5DE
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 2b75059814da9331e09c240aeaf5a1e63b5841bd08249cf66897a92a4d0dacdb
            • Instruction ID: 4f98e3f9e56cc1e817dcfb57d9ca03155777848cd4b9658ea838932470c663f9
            • Opcode Fuzzy Hash: 2b75059814da9331e09c240aeaf5a1e63b5841bd08249cf66897a92a4d0dacdb
            • Instruction Fuzzy Hash: D6117272409380AFDB228F55DC44A62FFF4EF4A310F0888DAE9858B662D375A418DB61
            APIs
            • GetExitCodeProcess.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 01731F88
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: CodeExitProcess
            • String ID:
            • API String ID: 3861947596-0
            • Opcode ID: 592db234f3b53112f78c16e77d8640ae3f5f71aab8831077a89c75c1ca61edcd
            • Instruction ID: 38559ed5c6998cc9813974b976ea44014408fa7325afee15373f6b5937b6b68b
            • Opcode Fuzzy Hash: 592db234f3b53112f78c16e77d8640ae3f5f71aab8831077a89c75c1ca61edcd
            • Instruction Fuzzy Hash: F9110676601240AFEB11CF15DC85BAAF7ECEF44324F0884AAED45CB642D774E408CAB5
            APIs
            • WriteFile.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DAF0D
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: FileWrite
            • String ID:
            • API String ID: 3934441357-0
            • Opcode ID: e60814a8c3b229ee605cc43727a8ee566806785018c72a0b00863917d228fded
            • Instruction ID: 92f5d8cd6fc9750a1b7e1be2722dbead19427b7389572a66947f511c525387cd
            • Opcode Fuzzy Hash: e60814a8c3b229ee605cc43727a8ee566806785018c72a0b00863917d228fded
            • Instruction Fuzzy Hash: 5311B272500240AFEB21CF55DC45FAAFBE8EF44314F18849AE9459B651D774E4088BB6
            APIs
            • DeleteFileW.KERNELBASE(?), ref: 014DB8E4
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: DeleteFile
            • String ID:
            • API String ID: 4033686569-0
            • Opcode ID: 2214af46193f52bfdfd6d5ee73127bd8b68f1abafd48c0d29934c418870bdbe9
            • Instruction ID: 7c88a281734d04cd877511df6aebf8078000dc985c1aa3d31a9f4421cbf4faa8
            • Opcode Fuzzy Hash: 2214af46193f52bfdfd6d5ee73127bd8b68f1abafd48c0d29934c418870bdbe9
            • Instruction Fuzzy Hash: 3C1163729053805FDB11CB65DC55B57BFE8EF46220F0984EBE985CB263D274E848CB61
            APIs
            • CopyFileW.KERNELBASE(?,?,?), ref: 014DB82A
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CopyFile
            • String ID:
            • API String ID: 1304948518-0
            • Opcode ID: b8d4455afd2277dc0604831933c0c3e77ec5b0976d1b5f41c96a8defd8c2b7ce
            • Instruction ID: 80bb2ff1a0720665fceeb353645b43fd7f587daf29ae6d33f2c586ae0ad3765c
            • Opcode Fuzzy Hash: b8d4455afd2277dc0604831933c0c3e77ec5b0976d1b5f41c96a8defd8c2b7ce
            • Instruction Fuzzy Hash: CE115276A002408FEB20CF19DC86B57FBD8EF05610F08C4AAED45CB762D774D408CA61
            APIs
            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 014DBAFE
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: LookupPrivilegeValue
            • String ID:
            • API String ID: 3899507212-0
            • Opcode ID: b8d4455afd2277dc0604831933c0c3e77ec5b0976d1b5f41c96a8defd8c2b7ce
            • Instruction ID: 9181e899e7c0e857402ebbf2690a627cd41cdbfbacfb59129cd2899d0bb6b708
            • Opcode Fuzzy Hash: b8d4455afd2277dc0604831933c0c3e77ec5b0976d1b5f41c96a8defd8c2b7ce
            • Instruction Fuzzy Hash: 731130766002409FEB20CF19DD55B57FBD8EB45210F0884ABDD55CB756D674E408CB61
            APIs
            • GetFileType.KERNELBASE(?,00000E24,AC92A64E,00000000,00000000,00000000,00000000), ref: 014DACBD
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: FileType
            • String ID:
            • API String ID: 3081899298-0
            • Opcode ID: 7351f69b2ba9827ffca2203ab88eef8958c34f68f5ef3bb4cb0a9034e65f111f
            • Instruction ID: 24fe6f1406d23ca79d9e30f5ba81695110c74defabc71c1314aefe5a8855ccac
            • Opcode Fuzzy Hash: 7351f69b2ba9827ffca2203ab88eef8958c34f68f5ef3bb4cb0a9034e65f111f
            • Instruction Fuzzy Hash: 43010076500240AFEB218F05DC85BAABBA8DF44624F188096ED058B792D774A40C8AA6
            APIs
            • K32EnumProcesses.KERNEL32(?,?,?,AC92A64E,00000000,?,?,?,?,?,?,?,?,6CB53C58), ref: 014DBF66
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: EnumProcesses
            • String ID:
            • API String ID: 84517404-0
            • Opcode ID: 8d220577d162e9bac28ed2bea949b1482266dc249a0e1c1cca9222c8257ad6ef
            • Instruction ID: b12ab307d61bba9a522bf1770afa1dcfdcbe676df45283b83b0337614c1fb211
            • Opcode Fuzzy Hash: 8d220577d162e9bac28ed2bea949b1482266dc249a0e1c1cca9222c8257ad6ef
            • Instruction Fuzzy Hash: 50118E756002448FDB11CF29D895B96FBE4EF45220F08C4AEDD49CB662D771E408CE61
            APIs
            • DeleteFileW.KERNELBASE(?), ref: 014DB8E4
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: DeleteFile
            • String ID:
            • API String ID: 4033686569-0
            • Opcode ID: 772513c79a8f4fad5b6352e759d9f965ccfa3d5b252abdb2741819d56e4506e4
            • Instruction ID: 217d3e3fc2dc05a1dd26296d2d9201c769f1e4bfa001660f4c7045b714d61385
            • Opcode Fuzzy Hash: 772513c79a8f4fad5b6352e759d9f965ccfa3d5b252abdb2741819d56e4506e4
            • Instruction Fuzzy Hash: CD015276A002449FEB10CF29D8957A6BBD4EF45620F08C4ABDD45CB756D674D408CB61
            APIs
            • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 01731EDA
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: FormatMessage
            • String ID:
            • API String ID: 1306739567-0
            • Opcode ID: 0aa8c0fb6f2f773dc7f4faf30ba9b31c543e50e123390ef07cb1a7463332973b
            • Instruction ID: d4623cde58dc3c2dcff7fde793928959128dd4fc917430274d82633f609c6c23
            • Opcode Fuzzy Hash: 0aa8c0fb6f2f773dc7f4faf30ba9b31c543e50e123390ef07cb1a7463332973b
            • Instruction Fuzzy Hash: A5015E71640200ABD310DF16DC46B76FBE8EB88A20F14856AED099B741D731B915CBE6
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DA5DE
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: ab2b58b10ec9a5b31ed11c0d19ae9d59b555dc5c96b86fdd885a539f9d1d1213
            • Instruction ID: 5311ef10932c778be8749f793db35b9ff870514534a96f1e35372b3182f146c0
            • Opcode Fuzzy Hash: ab2b58b10ec9a5b31ed11c0d19ae9d59b555dc5c96b86fdd885a539f9d1d1213
            • Instruction Fuzzy Hash: 3E015B76400640DFDF218F55D945B56FBE0EF48320F08889AEE894B662D376E418DF62
            APIs
            • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 014DA77E
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: Clipboard
            • String ID:
            • API String ID: 220874293-0
            • Opcode ID: bd08df1696732c7a68ca60e65e21dc2dff1b671ac8e6e1d30cf93412029a1fb2
            • Instruction ID: 5951fe48d8fbf7a6d8d97eeedc9eb9ffd479540d60063fb7ad9803a3286baab8
            • Opcode Fuzzy Hash: bd08df1696732c7a68ca60e65e21dc2dff1b671ac8e6e1d30cf93412029a1fb2
            • Instruction Fuzzy Hash: 80014F71640600ABD210DF16DC46B66FBE8EB88A20F148159ED089BB41D775B915CAE6
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 01730E7E
            Memory Dump Source
            • Source File: 00000000.00000002.3751709172.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1730000_Server.jbxd
            Similarity
            • API ID: QueryValue
            • String ID:
            • API String ID: 3660427363-0
            • Opcode ID: 60e0c05ccd11cdae16cb62495c309f47d633ff26e3ff33f0a6717e8ff907a3b6
            • Instruction ID: 17392081458d3c89549eeda2da7c2d97c66196d2484d91afffca64f42981ffa2
            • Opcode Fuzzy Hash: 60e0c05ccd11cdae16cb62495c309f47d633ff26e3ff33f0a6717e8ff907a3b6
            • Instruction Fuzzy Hash: C6018F71640200ABD210DF16CC46F66FBE8EB88A20F14811AEC089BB41D771B915CAE6
            APIs
            • SetErrorMode.KERNELBASE(?), ref: 014DAA44
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: d6769bf0c85b75bfa84e6e7b45bd49bb6f1aa1eb9104ba6e01ba27634da06fa5
            • Instruction ID: 9cb3f43c2bb70fcf50f3de7a4e2c3079099266b86ed97872a8bc0b687a01d3fe
            • Opcode Fuzzy Hash: d6769bf0c85b75bfa84e6e7b45bd49bb6f1aa1eb9104ba6e01ba27634da06fa5
            • Instruction Fuzzy Hash: 6DF0AF358006849FDB218F05DA85BA6FBE0EF44624F1CC19ADD494B762D379A908CEA2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: 2"l
            • API String ID: 0-4010171355
            • Opcode ID: 5a06ef20068e778b76c49ed1145fc420a6d49a93de0a9b6f61a87e577ed6b963
            • Instruction ID: 315b01109e27b13abdeccdfd09ce8f0d00cb47bb8a10af997caf01805942cf36
            • Opcode Fuzzy Hash: 5a06ef20068e778b76c49ed1145fc420a6d49a93de0a9b6f61a87e577ed6b963
            • Instruction Fuzzy Hash: 7B813770A00258CFDB14EFB5C854BEDB7B2BF85308F4040AA951AAB694DB798E45CF51
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID: 2"l
            • API String ID: 0-4010171355
            • Opcode ID: f48e1b6bced1db151ba72b5f0dab845aec42f72f88db1559bb8f4e6d375b2d40
            • Instruction ID: 604185ea050e100ffbce6e626ca82e91f087aed2dd1285942b09489493e72e26
            • Opcode Fuzzy Hash: f48e1b6bced1db151ba72b5f0dab845aec42f72f88db1559bb8f4e6d375b2d40
            • Instruction Fuzzy Hash: C9410670A00258CFDB14EFA5D854BECB7B2FB85308F4041AAD419AB694DB758E48CF51
            APIs
            • CloseHandle.KERNELBASE(?), ref: 014DABF0
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: b6d5e1b25abcd093c0961e7f4f7fc8bd6dfb4df093551113cba0109f19e14bc6
            • Instruction ID: 9418383ca01a4536e59f59ac39eb9f8b712c0f1e77c26c4ff14ea71bfcabfe08
            • Opcode Fuzzy Hash: b6d5e1b25abcd093c0961e7f4f7fc8bd6dfb4df093551113cba0109f19e14bc6
            • Instruction Fuzzy Hash: 5521C3755093C09FDB128F25DD95792BFA8EF07220F0984DBED858B2A3D2749908CB61
            APIs
            • CloseHandle.KERNELBASE(?), ref: 014DBD38
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: e2f2fcd2e7e233634323569d4a46ec94ca3f86bd5cac12f1c9a1a491f1c5d7b7
            • Instruction ID: bbcb46f64f274e29983c2839ce366d559617beedf0c9f6f4dd2bc9dff2f64812
            • Opcode Fuzzy Hash: e2f2fcd2e7e233634323569d4a46ec94ca3f86bd5cac12f1c9a1a491f1c5d7b7
            • Instruction Fuzzy Hash: 24219D725093C09FDB128B25DD55B92BFA4AF47224F0984DAE8858F663D274A908CB62
            APIs
            • CloseHandle.KERNELBASE(?), ref: 014DA690
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 6c6d5c8b8197673786efe1be9550acb5b63a96c20805c3b463709847351feb5f
            • Instruction ID: 2ac9fead381ebbae36da3ec34faa8b7d31b183d5f645af0bdece5c06c3347f65
            • Opcode Fuzzy Hash: 6c6d5c8b8197673786efe1be9550acb5b63a96c20805c3b463709847351feb5f
            • Instruction Fuzzy Hash: 2521387140D3C49FDB138B259C95A92BFB4DF47220F0984DBD9858F2A3D2699908CBB2
            APIs
            • CloseHandle.KERNELBASE(?), ref: 014DBD38
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: b098bf622cbf42eafdf76c5cc153b0fdb3b8fcb3ec4372d751fb77d795ba3d4b
            • Instruction ID: acef18663b4bcf9b321f158e5c9ef7feb2dbcec115d0cd7f09eaf93ca26ec53b
            • Opcode Fuzzy Hash: b098bf622cbf42eafdf76c5cc153b0fdb3b8fcb3ec4372d751fb77d795ba3d4b
            • Instruction Fuzzy Hash: 6101DF769002408FDB10CF19D985B96FBE4EF41220F08C4ABDC4A8B766D774E408CEA2
            APIs
            • CloseHandle.KERNELBASE(?), ref: 014DABF0
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 0fbf1a3fce8826160142dced14c78154a8a742c5bff69d3a4d9909b9887fc727
            • Instruction ID: 19e3b2f43314e47f9324ab88965d0222e67e1425bfc47bd867ccb2f0cd359fb6
            • Opcode Fuzzy Hash: 0fbf1a3fce8826160142dced14c78154a8a742c5bff69d3a4d9909b9887fc727
            • Instruction Fuzzy Hash: B501DF769042408FDB10CF19E9857A6FBE4EF00620F08C8ABDD098F762D775E408CA61
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3751417233.0000000001530000.00000040.00000020.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1530000_Server.jbxd
            Similarity
            • API ID:
            • String ID: j
            • API String ID: 0-2137352139
            • Opcode ID: c23bfd368dc57970109384c3f9600d5a21a4c0cbc762eca5d4a1c26ad049ad23
            • Instruction ID: 7869458661d892ba9b1b4f90b7343f12d597d2e47aa89a822a6967dbcff2e5b1
            • Opcode Fuzzy Hash: c23bfd368dc57970109384c3f9600d5a21a4c0cbc762eca5d4a1c26ad049ad23
            • Instruction Fuzzy Hash: 56113335509380CFC716CB10D590B15FBB1BB86718F28C6EDE8495B6A3C3369816DB41
            APIs
            • CloseHandle.KERNELBASE(?), ref: 014DA690
            Memory Dump Source
            • Source File: 00000000.00000002.3751200947.00000000014DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DA000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14da000_Server.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 6d2b28ab4c21cb414c8703c829949307ce4c193b77d0840e5457185d0c6c2475
            • Instruction ID: 30d57d70cac0443c7ad5a14f48e47ce11566041b9a9af15d5fdf22c3e3d59bf2
            • Opcode Fuzzy Hash: 6d2b28ab4c21cb414c8703c829949307ce4c193b77d0840e5457185d0c6c2475
            • Instruction Fuzzy Hash: F901AD75800240CFDB10CF59D9857A6FBE4EF84220F18C8ABDD898F362D375A408CEA2
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b23632a7206b09a7243e7c0e5d0ead9e05ff77ffc19d95dc91e6f25aad30dd96
            • Instruction ID: 0f4573e08c425876168909db4d6cc7dfdeaf8328c8f2fcbef43f0ea9703c0683
            • Opcode Fuzzy Hash: b23632a7206b09a7243e7c0e5d0ead9e05ff77ffc19d95dc91e6f25aad30dd96
            • Instruction Fuzzy Hash: B3C247B4B001A5CBEB118F25E8107BD7BF6EB89308F0050AB984997795EB78CD55DFA0
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 568b7b04a6b2bae24edee038822ece39c16a628cce7ff38dc2a77c3b3a3d2c25
            • Instruction ID: 68e841157dc2fa91ae4f6ec7ee3db88689f04bd23d926afe20212d8d1c6b73d6
            • Opcode Fuzzy Hash: 568b7b04a6b2bae24edee038822ece39c16a628cce7ff38dc2a77c3b3a3d2c25
            • Instruction Fuzzy Hash: 5D9278F4B001A0DBEF118F25D8207BD7BE6EB89308F0050AA994997795DB78CD66DF60
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1b7e428ee9684d4ad6f2124df89eadbb68937570a1b167d324391cbb6f564fed
            • Instruction ID: 86a580052e01ab6e6c68a517792bca5e0ad693b8ee9e077981198cbab23b5be2
            • Opcode Fuzzy Hash: 1b7e428ee9684d4ad6f2124df89eadbb68937570a1b167d324391cbb6f564fed
            • Instruction Fuzzy Hash: 2F9278F4B001A4DBEF118F25D8207BD7BE6EB88308F0050AA994997795DB78CD66DF60
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8616e290449325a0678f489eff53e3386029e8ad9030a9a363593874087fdc65
            • Instruction ID: 7d7ca3c6c9ec2312debad01c5835fcc006b331a2b2f14bbff838cafc7f0db4e9
            • Opcode Fuzzy Hash: 8616e290449325a0678f489eff53e3386029e8ad9030a9a363593874087fdc65
            • Instruction Fuzzy Hash: 019278F4B001A4DBEF118F25D8207BD7BE6EB88308F0050AA994997795DB78CD66DF60
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f18ad122d9ff0f4283d0ce6f9cb4faba05f2335df86570a273d2b3da080b3e72
            • Instruction ID: 6424c029f1f55674117451ae0efc226fde0759724e57a4b03584ec83f7ffb781
            • Opcode Fuzzy Hash: f18ad122d9ff0f4283d0ce6f9cb4faba05f2335df86570a273d2b3da080b3e72
            • Instruction Fuzzy Hash: F5418B30A00305CFEB15CF3AD9197AD36E2AB45359F1885A9D511DB2E1EFB8DE02CB20
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f304992e16d0bd6b2d2918c03b9fd3a849edd2e01a86f49072a129332ddc1de7
            • Instruction ID: 1b81cab57ffe3742958bc647b996bbe442c4be3dbc29290258e3f51b0611b927
            • Opcode Fuzzy Hash: f304992e16d0bd6b2d2918c03b9fd3a849edd2e01a86f49072a129332ddc1de7
            • Instruction Fuzzy Hash: 5531ADB0B002118FDB04AB75D8127BE33A6EB89208F50503AE415D77A5EF7D8D2ACB91
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ace48963dc228d4c2fe0733a14657dbe3f6bbc5077f78f7f3f1ac07b3e440ac2
            • Instruction ID: 77401dc4f725bd0a78485e3ac0c71b700872e5bc9a3a8b236262852188d3573b
            • Opcode Fuzzy Hash: ace48963dc228d4c2fe0733a14657dbe3f6bbc5077f78f7f3f1ac07b3e440ac2
            • Instruction Fuzzy Hash: 6B2108306093818FC7165778B8680B93BF2EF9710971944AFD485CB7A3DBB98C55C792
            Memory Dump Source
            • Source File: 00000000.00000002.3751417233.0000000001530000.00000040.00000020.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1530000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8320e2a5e30fcf2948e18a6503c79a8e733472e922bba61845e2ec1c9e33dd5d
            • Instruction ID: 391b60a45053e7d24634cbb9eef37eeb9216a1121b886e245f9302f2caa8e5ee
            • Opcode Fuzzy Hash: 8320e2a5e30fcf2948e18a6503c79a8e733472e922bba61845e2ec1c9e33dd5d
            • Instruction Fuzzy Hash: 8011A2316043849FD715CB14D940B29FBE5BBC8708F28C9ACE9495BA93C77BD817CA81
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 63d01cc77ca05032b9189bef9c4c3984cfa457b40c78ff40d647faf72ae5c195
            • Instruction ID: 1075e5cca39c848996d2a41293647ef6c543399be2e6d75de772296e2fb1f331
            • Opcode Fuzzy Hash: 63d01cc77ca05032b9189bef9c4c3984cfa457b40c78ff40d647faf72ae5c195
            • Instruction Fuzzy Hash: 3801DF346083908BC71A6778A8642BA37A6EBC714A31480ABD4819B393DFBD8C56C791
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7dbdfcae2606820926c948395ace1b022786d59aa78c8f7d69ae669214389465
            • Instruction ID: d1e0534d2ddfb2978824888976bcdc9d711e1a8d7d759ecbe6dfd5e9cc459a36
            • Opcode Fuzzy Hash: 7dbdfcae2606820926c948395ace1b022786d59aa78c8f7d69ae669214389465
            • Instruction Fuzzy Hash: E101E46140E3C19FD3038B70DC646957FB0AF57208B8E41CBD080CF2A7E6AD8919CB62
            Memory Dump Source
            • Source File: 00000000.00000002.3751417233.0000000001530000.00000040.00000020.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1530000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c3cb1f9e5a49cb8b6a15456c642c4f429d1d78d5e36829073e268f7e8a0623ad
            • Instruction ID: 509cddff1b907698f5587a84f1f1383631eb1b7058298bc06ae81fefaf79d551
            • Opcode Fuzzy Hash: c3cb1f9e5a49cb8b6a15456c642c4f429d1d78d5e36829073e268f7e8a0623ad
            • Instruction Fuzzy Hash: DA0186B65093845FD7118F06EC41867FFE8DB86620709C49FFC498B712D625A808CBA5
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 392459acdef8915cd954b99fb113a716c966bb983ac9f1bd4689a97b4cead891
            • Instruction ID: d0effba3ee4bc3673a11755d62577a03e22aaa1de19b041d9d0ecee5fab6bffc
            • Opcode Fuzzy Hash: 392459acdef8915cd954b99fb113a716c966bb983ac9f1bd4689a97b4cead891
            • Instruction Fuzzy Hash: 79016D34606342CFCF41EF75E4688AD77E1EF95209B44882DE585CB329EB748C048F92
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5860694bc12a0fe68c398c037dc35386b8052ac44ef5afc5c01b0dcb204f376c
            • Instruction ID: 58a127f6013baa274fbb44f1a3865dc4697576bf4febdc67c8cede0968bd4359
            • Opcode Fuzzy Hash: 5860694bc12a0fe68c398c037dc35386b8052ac44ef5afc5c01b0dcb204f376c
            • Instruction Fuzzy Hash: EFF0FC71A003446BEB04DFB1CC517AE7FB7DB82624F00856EE5459B2D1EA759D41C750
            Memory Dump Source
            • Source File: 00000000.00000002.3751417233.0000000001530000.00000040.00000020.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1530000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 34f7cc177ec357e4be824001698e3cc6f925d319bee30944042fc642ffdb53de
            • Instruction ID: 4692f20dc1d6ed8e655fec2097d09ef396255aafd03f92597cfa4d30803b3070
            • Opcode Fuzzy Hash: 34f7cc177ec357e4be824001698e3cc6f925d319bee30944042fc642ffdb53de
            • Instruction Fuzzy Hash: F8F01935108644DFC706CF04D980B15FBA2FB89718F24CAADE9491BB62C737E813DA81
            Memory Dump Source
            • Source File: 00000000.00000002.3751417233.0000000001530000.00000040.00000020.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1530000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: efb3410565da6819008be2ea32fc0047b9cf861a1fcfa0c274541cfe7a47fdc9
            • Instruction ID: 8545174295a750f1f6985cb9e5bca2e2e4e26ebdec1856ade8e7ff28573400e6
            • Opcode Fuzzy Hash: efb3410565da6819008be2ea32fc0047b9cf861a1fcfa0c274541cfe7a47fdc9
            • Instruction Fuzzy Hash: A5E092B66006444B9750CF0BFC41492F7D8EB84630B08C07FDC0D8BB11E635B508CEA5
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fdf734598f7b1738432dd1181a0930ec057f52903a6a37d9fad1be47c974fb17
            • Instruction ID: 68f3ad6c2953e36b1d1b4d78baefae42c6b3a42149fc881b479b659b424e8db4
            • Opcode Fuzzy Hash: fdf734598f7b1738432dd1181a0930ec057f52903a6a37d9fad1be47c974fb17
            • Instruction Fuzzy Hash: 08E06D3154A3908FCB27677458284A93BB1AA4320875414EED086CA2ABE67AD846CB00
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 77ecb9c4e7718d0d4eb42e64b684145dd0b55bcc6dc2311886e537f309285890
            • Instruction ID: e818a36aab97d0b6b4ef6a9b2e238210efd5646a350e897fe65f2e9793603eff
            • Opcode Fuzzy Hash: 77ecb9c4e7718d0d4eb42e64b684145dd0b55bcc6dc2311886e537f309285890
            • Instruction Fuzzy Hash: F6E09270D1E384AFC706CFB89C115A97FF49B03209B0601EBC889CB2A3E5354E04CB92
            Memory Dump Source
            • Source File: 00000000.00000002.3751187688.00000000014D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D2000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14d2000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 89aea26db1ac460339a2b4cf7ada90841acc24a5c1d2283334d2bd175086bbad
            • Instruction ID: ca3a4c2867d34a2e21e8081f7bccd4edf341281f5453f4f9161380ed76c801b2
            • Opcode Fuzzy Hash: 89aea26db1ac460339a2b4cf7ada90841acc24a5c1d2283334d2bd175086bbad
            • Instruction Fuzzy Hash: 2DD05E792066D14FE7179A1CD1B4F9A3BE4AB51714F4A44FAEC008B773C7A8D5C1D600
            Memory Dump Source
            • Source File: 00000000.00000002.3751187688.00000000014D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D2000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_14d2000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dafbbaaf5c9aecbb2aeb49b8dcf9766f972fbfbc0a7d7beb466428206a93be92
            • Instruction ID: 6412adf4e5e6f3e87ec55c47c22d1666c53922f8ea6a6f3005836e2b6c97161a
            • Opcode Fuzzy Hash: dafbbaaf5c9aecbb2aeb49b8dcf9766f972fbfbc0a7d7beb466428206a93be92
            • Instruction Fuzzy Hash: F2D05E342012814BDB16DA1CD2E4F5A3BD4AB84714F0644E9AC108B772CBB4D8C0CA00
            Memory Dump Source
            • Source File: 00000000.00000002.3751977000.0000000001C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1c70000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f86a2771b9185f5ab300b35d952cbe8fe2eb197a86ac308e67e77b873257b0ff
            • Instruction ID: 2793cfb3f49248703ee44ea936c8b5c90263a452de123b2c885412cd86605e12
            • Opcode Fuzzy Hash: f86a2771b9185f5ab300b35d952cbe8fe2eb197a86ac308e67e77b873257b0ff
            • Instruction Fuzzy Hash: B6D0A930E0120CEF8700DFA8EC0089DB7F8EB05204B0000AAA80DC7320EE311E00DB91