Edit tour

Windows Analysis Report
0438.pdf.exe

Overview

General Information

Sample name:	0438.pdf.exe renamed because original name is a hash value
Original sample name:	.pdf.exe
Analysis ID:	1543779
MD5:	2d11dba46735af1cb1c0a42e9564e20d
SHA1:	b2e17960c6d080f7aba7df87f57c08b4bc2e7051
SHA256:	e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Suspicious Double Extension File Execution

Connects to many ports of the same IP (likely port scanning)

Enables network access during safeboot for specific services

Enables remote desktop connection

Initial sample is a PE file and has a suspicious name

Uses an obfuscated file name to hide its real file extension (double extension)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0438.pdf.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\0438.pdf.exe" MD5: 2D11DBA46735AF1CB1C0A42E9564E20D)

msiexec.exe (PID: 3524 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)

Acrobat.exe (PID: 2000 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 3852 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7372 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2228 --field-trial-handle=1508,i,11782010648643187908,10597558926359828636,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

msiexec.exe (PID: 6240 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

ROMFUSClient.exe (PID: 8160 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 7352 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 7544 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 7768 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 2132 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 764 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)

svchost.exe (PID: 7200 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ROMServer.exe (PID: 4488 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 7768 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 2144 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.ROMFUSClient.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
9.0.ROMServer.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0438.pdf.exe, NewProcessName: C:\Users\user\Desktop\0438.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0438.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\0438.pdf.exe", ProcessId: 6312, ProcessName: 0438.pdf.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 111.90.140.76, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Initiated: true, ProcessId: 4488, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 52493

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7200, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: 0438.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FFB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665FFB190
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FE40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665FE40BC
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF66600FCA0 FindFirstFileExA,	0_2_00007FF66600FCA0

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\winspool.drv
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\winmm.dll

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 111.90.140.76 ports 5651,8080,1,465,5,6,80

Enables network access during safeboot for specific services

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry value created: NULL Service

Source: global traffic	TCP traffic: 192.168.2.4:52490 -> 111.90.140.76:5651
Source: global traffic	TCP traffic: 192.168.2.4:52495 -> 65.21.245.7:5555

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76

Source: global traffic

DNS traffic detected: DNS query: x1.i.lencr.org

Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000005.00000002.3418433466.00000265D3400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000005.00000003.1761372145.00000265D3618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000005.00000003.1761372145.00000265D3618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1761372145.00000265D3618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1761372145.00000265D3618000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1761372145.00000265D364D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ROMFUSClient.exe, 00000008.00000000.1818737515.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1825724042.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 0000000E.00000002.3584968888.000000000180C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.000000000296C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.000000000286C000.00000004.00001000.00020000.00000000.sdmp, English.lg.3.dr	String found in binary or memory: http://litemanager.com/
Source: ROMServer.exe, 0000000E.00000002.3584968888.0000000001813000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.0000000002973000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/03
Source: ROMServer.exe, 0000000E.00000002.3584968888.000000000180C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.000000000296C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/1
Source: ROMFUSClient.exe, 00000008.00000000.1818737515.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1825724042.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://litemanager.ru/
Source: ROMServer.exe, 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://litemanager.ru/noip.txtU
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://s2.symcb.com0
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ROMFUSClient.exe, 00000008.00000003.1836347325.0000000002807000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1822596622.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000009.00000003.1827354006.00000000011C7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000A.00000003.1849784435.0000000002837000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000003.1847557448.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000C.00000003.1891012785.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000D.00000003.1886219496.0000000001157000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000002.3584968888.0000000001777000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3584341571.0000000002897000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.00000000028D7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000005.00000003.1761372145.00000265D3656000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000005.00000003.1761372145.00000265D36A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1761372145.00000265D36E8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1761372145.00000265D3707000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: ROMFUSClient.exe, 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://litemanager.com/romversion.txt
Source: ROMFUSClient.exe, 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
Source: svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000005.00000003.1761372145.00000265D3656000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 0438.pdf.exe

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665FDC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF665FDC2F0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5ded59.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF170.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5ded5c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5ded5c.msi	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\5ded5c.msi

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666000754	0_2_00007FF666000754
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FDF930	0_2_00007FF665FDF930
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FE4928	0_2_00007FF665FE4928
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF3484	0_2_00007FF665FF3484
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FEA4AC	0_2_00007FF665FEA4AC
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FFB190	0_2_00007FF665FFB190
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FD5E24	0_2_00007FF665FD5E24
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FFCE88	0_2_00007FF665FFCE88
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF1F20	0_2_00007FF665FF1F20
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FD4840	0_2_00007FF665FD4840
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF66600C838	0_2_00007FF66600C838
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666012550	0_2_00007FF666012550
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FD76C0	0_2_00007FF665FD76C0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF53F0	0_2_00007FF665FF53F0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FEB534	0_2_00007FF665FEB534
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FEF180	0_2_00007FF665FEF180
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF21D0	0_2_00007FF665FF21D0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FE126C	0_2_00007FF665FE126C
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FD7288	0_2_00007FF665FD7288
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FDC2F0	0_2_00007FF665FDC2F0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FDA310	0_2_00007FF665FDA310
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666012080	0_2_00007FF666012080
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF2D58	0_2_00007FF665FF2D58
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666000754	0_2_00007FF666000754
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF8DF4	0_2_00007FF665FF8DF4
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FEAF18	0_2_00007FF665FEAF18
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FE5B60	0_2_00007FF665FE5B60
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FEBB90	0_2_00007FF665FEBB90
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF4B98	0_2_00007FF665FF4B98
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666008C1C	0_2_00007FF666008C1C
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF3964	0_2_00007FF665FF3964
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FEC96C	0_2_00007FF665FEC96C
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF6660089A0	0_2_00007FF6660089A0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FE1A48	0_2_00007FF665FE1A48
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF66600FA94	0_2_00007FF66600FA94
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FD1AA4	0_2_00007FF665FD1AA4
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FF2AB0	0_2_00007FF665FF2AB0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666015AF8	0_2_00007FF666015AF8

Source: ROMViewer.exe.3.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe.3.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe0.3.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ROMServer.exe0.3.dr	Static PE information: Number of sections : 11 > 10
Source: ROMServer.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: ROMViewer.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: ROMFUSClient.exe.3.dr	Static PE information: Number of sections : 11 > 10

Source: ROMViewer.exe.3.dr

Static PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'

Source: 0438.pdf.exe, 00000000.00000003.1740982799.000001F1AE8CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcrobat.exe< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@38/76@1/3

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665FDB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF665FDB6D8

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665FF8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF665FF8624

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6672

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray

Source: C:\Users\user\Desktop\0438.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6153109

Jump to behavior

Source: Yara match	File source: 8.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED

Source: 0438.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\0438.pdf.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

File read: C:\Users\user\Desktop\0438.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0438.pdf.exe "C:\Users\user\Desktop\0438.pdf.exe"
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2228 --field-trial-handle=1508,i,11782010648643187908,10597558926359828636,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: unknown	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2228 --field-trial-handle=1508,i,11782010648643187908,10597558926359828636,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray

Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll

Source: C:\Users\user\Desktop\0438.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Start LM-Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Uninstall LiteManager - Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
Source: Stop LM-Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Settings for LM-Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0438.pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0438.pdf.exe

Static file information: File size 11654747 > 1048576

Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 0438.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 0438.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe

Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\0438.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6153109

Jump to behavior

Source: 0438.pdf.exe	Static PE information: section name: .didat
Source: 0438.pdf.exe	Static PE information: section name: _RDATA
Source: ROMViewer.exe.3.dr	Static PE information: section name: .didata
Source: ROMFUSClient.exe.3.dr	Static PE information: section name: .didata
Source: ROMwln.dll.3.dr	Static PE information: section name: .didata
Source: ROMServer.exe.3.dr	Static PE information: section name: .didata
Source: HookDrv.dll.3.dr	Static PE information: section name: .didata
Source: ROMServer.exe0.3.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666015166 push rsi; retf		0_2_00007FF666015167
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666015156 push rsi; retf		0_2_00007FF666015157

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\romserver.exe

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 0438.pdf.exe

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettings

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Window / User API: threadDelayed 1822
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Window / User API: threadDelayed 8034

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 7276	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7276	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 5432	Thread sleep count: 51 > 30
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 3624	Thread sleep time: -911000s >= -30000s
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 3624	Thread sleep time: -4017000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FFB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665FFB190
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665FE40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665FE40BC
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF66600FCA0 FindFirstFileExA,	0_2_00007FF66600FCA0

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF6660016A4 VirtualQuery,GetSystemInfo,

0_2_00007FF6660016A4

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\winspool.drv
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	File opened: C:\Windows\SysWOW64\winmm.dll

Source: ROMFUSClient.exe, 0000000C.00000003.1892251046.0000000000C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\jv?
Source: svchost.exe, 00000005.00000002.3417826929.00000265CDE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3417800181.00000265CDE13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3418776273.00000265D345E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ROMFUSClient.exe, 0000000C.00000003.1892251046.0000000000C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Iv
Source: ROMServer.exe, 0000000E.00000002.3583933926.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3583592685.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3583742166.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF6660076D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6660076D8

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF666010D20 GetProcessHeap,

0_2_00007FF666010D20

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF6660076D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6660076D8
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666003354 SetUnhandledExceptionFilter,	0_2_00007FF666003354
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666002510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF666002510
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF666003170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF666003170

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665FFB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF665FFB190

Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF6660158E0 cpuid

0_2_00007FF6660158E0

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF665FFA2CC

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF666000754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF666000754

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665FE51A4 GetVersionExW,

0_2_00007FF665FE51A4

Remote Access Functionality

Enables remote desktop connection

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Windows Service	1 DLL Side-Loading	11 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 DLL Side-Loading	NTDS	65 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	122 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	3%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	5%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	5%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
x1.i.lencr.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://litemanager.com/1	ROMServer.exe, 0000000E.00000002.3584968888.000000000180C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.000000000296C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://litemanager.ru/	ROMFUSClient.exe, 00000008.00000000.1818737515.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1825724042.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp	false		unknown
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000005.00000003.1761372145.00000265D3656000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	false	URL Reputation: safe	unknown
https://litemanager.com/soft/pro/ROMServer.zip	ROMFUSClient.exe, 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
http://litemanager.com/03	ROMServer.exe, 0000000E.00000002.3584968888.0000000001813000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.0000000002973000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	false	URL Reputation: safe	unknown
https://litemanager.com/romversion.txt	ROMFUSClient.exe, 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	false	URL Reputation: safe	unknown
http://litemanager.ru/noip.txtU	ROMServer.exe, 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000005.00000002.3418433466.00000265D3400000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000005.00000003.1761372145.00000265D36A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1761372145.00000265D36E8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1761372145.00000265D3707000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	false	URL Reputation: safe	unknown
http://litemanager.com/	ROMFUSClient.exe, 00000008.00000000.1818737515.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1825724042.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 0000000E.00000002.3584968888.000000000180C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.000000000296C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.000000000286C000.00000004.00001000.00020000.00000000.sdmp, English.lg.3.dr	false		unknown
http://www.indyproject.org/	ROMFUSClient.exe, 00000008.00000003.1836347325.0000000002807000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1822596622.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000009.00000003.1827354006.00000000011C7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000A.00000003.1849784435.0000000002837000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000003.1847557448.0000000002A17000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000C.00000003.1891012785.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000D.00000003.1886219496.0000000001157000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000002.3584968888.0000000001777000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3584341571.0000000002897000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3585086886.00000000028D7000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/cps0(	0438.pdf.exe, 00000000.00000003.1725051641.000001F1B27BE000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1725051641.000001F1B2780000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 5ded59.msi.3.dr, 5ded5c.msi.3.dr	false	URL Reputation: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000005.00000003.1761372145.00000265D36C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
111.90.140.76	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true
65.21.245.7	unknown	United States		199592	CP-ASDE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543779
Start date and time:	2024-10-28 13:02:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0438.pdf.exe renamed because original name is a hash value
Original Sample Name:	.pdf.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@38/76@1/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.88.176, 2.19.126.149, 2.19.126.143, 34.193.227.236, 54.144.73.197, 18.207.85.246, 107.22.247.231, 172.64.41.3, 162.159.61.3, 184.28.90.27, 2.23.197.184, 93.184.221.240, 95.101.148.135, 95.101.54.240, 2.16.202.97, 95.101.54.242, 95.101.54.233, 2.16.202.67, 2.16.202.83, 95.101.54.243, 95.101.54.241, 2.16.202.66, 2.16.202.16, 2.16.164.11, 2.16.164.96, 2.16.164.64, 2.16.164.19, 2.16.164.59, 2.16.164.115, 2.16.164.75, 2.16.164.91, 2.16.202.107, 2.16.164.35, 2.16.164.50, 2.16.164.112, 95.101.54.219, 2.16.202.98, 2.16.164.114, 2.16.164.107, 2.22.242.11, 2.22.242.123
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, wu.azureedge.net, d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 0438.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
08:03:50	API Interceptor	296356x Sleep call for process: ROMFUSClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
65.21.245.7	044f.pdf.scr	Get hash	malicious	RMSRemoteAdmin	Browse
	3e#U043c.scr	Get hash	malicious	RMSRemoteAdmin	Browse
	3e#U043c.scr	Get hash	malicious	RMSRemoteAdmin	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	b.cmd	Get hash	malicious	Unknown	Browse	101.99.92.203
	rrwzOU7A9F.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	3xlcP3DFLm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	JruZmEO5Dm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	zVlbADkNqu.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	vqUuq8t2Uc.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
	pXJ9iQvcQa.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
	https://app.adjust.com/mr11ui?fallback=https://abcshopbd.com/#amVmZi5kaXhvbiRhdXN0YWx1c2EuY29t	Get hash	malicious	HTMLPhisher	Browse	111.90.141.53
	Transferencias6231.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	101.99.94.195
CP-ASDE	iQPxJrxxaj.exe	Get hash	malicious	PikaBot	Browse	65.20.66.218
	iQPxJrxxaj.exe	Get hash	malicious	PikaBot	Browse	65.20.66.218
	http://www.thegioimoicau.com/	Get hash	malicious	Unknown	Browse	65.21.45.74
	Bill Of Lading_MEDUVB935991.pdf.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	arm.elf	Get hash	malicious	Unknown	Browse	65.21.50.224
	P1 BOL.exe	Get hash	malicious	Unknown	Browse	65.21.196.90
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	TT Swift copy1.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	BL.exe	Get hash	malicious	FormBook	Browse	65.21.196.90

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	25210
Entropy (8bit):	5.138821896481996
Encrypted:	false
SSDEEP:	384:xS75t8t+CqZ+oNbynfBytjj3IhdgdVOVv:xS1t8t+CqZ+oNbynfEtIh+jMv
MD5:	2B6769811297D38734C1FC542BB6A21C
SHA1:	DF9A153AC9D2CB14607588C4ABEBC998511A400F
SHA-256:	605453A43D08B46E5CB1F19767DAF7D57BE8745C0E84BD2C30B15531682F38EF
SHA-512:	398EACB0E6AE28D6B8A1F0FE474F510F36BBC683D211C8C04527F368F2EA82F79465ACC4E2000EE494ABEF82EF1D57BF862204FC143D243753B4125C46D7E506
Malicious:	false
Preview:	...@IXOS.@.....@c@\Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-B

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132032
Entropy (8bit):	6.10195829980833
Encrypted:	false
SSDEEP:	3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
MD5:	C40455A478E0B76521130D9DAAAADC4B
SHA1:	42DE923D5E36A9F56B002DD66DB245BC44480089
SHA-256:	308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
SHA-512:	76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
Category:	dropped
Size (bytes):	58679
Entropy (8bit):	4.738446173390891
Encrypted:	false
SSDEEP:	768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
MD5:	BAED4E7AF33F77350D454B69317EE63B
SHA1:	2B598774F0C73850A36117F29EA8DAC57BE1C138
SHA-256:	671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
SHA-512:	E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	89220
Entropy (8bit):	3.469297258214741
Encrypted:	false
SSDEEP:	768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
MD5:	B1C96EF24061BF294CAC6C4C9CBF7757
SHA1:	5D1B1934091E257B5F1C69B13F5FC1E424348584
SHA-256:	20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
SHA-512:	6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	201728
Entropy (8bit):	6.3607488106285075
Encrypted:	false
SSDEEP:	3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
MD5:	1D4F8CFC7BBF374CCC3AAE6045B2133D
SHA1:	802EDF0B0ED1D0305BCD6688EE3301366FEC1337
SHA-256:	C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
SHA-512:	68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...\|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	61034
Entropy (8bit):	4.429529654892776
Encrypted:	false
SSDEEP:	768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
MD5:	7303B5AE0B8911CEB238DC01419695BE
SHA1:	22B89BDB8FAEC62BA3E66639E38E6271B593944A
SHA-256:	88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
SHA-512:	8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
Malicious:	false
Preview:	[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.\|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.\|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	58794
Entropy (8bit):	3.642324420313977
Encrypted:	false
SSDEEP:	768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
MD5:	606DC375E898D7221CCB7CEB8F7C686B
SHA1:	26DCF93876C89283623B8150C1B79EDB24B6A7EC
SHA-256:	F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
SHA-512:	9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
Category:	dropped
Size (bytes):	87912
Entropy (8bit):	4.303374267443204
Encrypted:	false
SSDEEP:	768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
MD5:	3FC082E8F516EAD9FC26AC01E737F9EF
SHA1:	3B67EBCE4400DDCF6B228E5668F3008561FB8F21
SHA-256:	3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
SHA-512:	9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6307408
Entropy (8bit):	6.5944937257467116
Encrypted:	false
SSDEEP:	98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
MD5:	63D0964168B927D00064AA684E79A300
SHA1:	B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
SHA-256:	33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
SHA-512:	894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7753808
Entropy (8bit):	6.615075046955521
Encrypted:	false
SSDEEP:	98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
MD5:	F3D74B072B9697CF64B0B8445FDC8128
SHA1:	8408DA5AF9F257D12A8B8C93914614E9E725F54C
SHA-256:	70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
SHA-512:	004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	999944
Entropy (8bit):	6.626732213066839
Encrypted:	false
SSDEEP:	12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
MD5:	ED32E23322D816C3FE2FC3D05972689E
SHA1:	5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
SHA-256:	7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
SHA-512:	E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	94772
Entropy (8bit):	4.284840986247552
Encrypted:	false
SSDEEP:	768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
MD5:	0E204FABE68B4B65ED5E0834651FB732
SHA1:	B338A6E54AA18F3F8A573580520F16C74A51F3D2
SHA-256:	302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
SHA-512:	AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7752272
Entropy (8bit):	6.615186281886958
Encrypted:	false
SSDEEP:	98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
MD5:	84FB34E529BEDE393A3F604EAA8137B2
SHA1:	195EA03B7BD086454A13C0D8357E0A9E447D9EC9
SHA-256:	1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
SHA-512:	A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11361360
Entropy (8bit):	6.496049600782297
Encrypted:	false
SSDEEP:	98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
MD5:	B0E355EC3453C8FFAEE08CD4257E96F2
SHA1:	0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
SHA-256:	60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
SHA-512:	B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3107788957216946
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrL:KooCEYhgYEL0In
MD5:	76665AE8E3C1947A1157EC9FBE6F4A05
SHA1:	32725365DE0ED7A71E6D838E23667EE52777725D
SHA-256:	DC0244072160408962E7D02AB9FDAEE16667626206A574DE513AFFF60E1DD431
SHA-512:	D1222904B868B347D01032742B874134F29023E7D77804AB6BE5E7360517741AFE7F77D7C3AECBB96888CA38A4F706C6AE9AFB20D6DFBB711FB7824219D8C521
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x13f83988, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221697002103083
Encrypted:	false
SSDEEP:	1536:XSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Xazag03A2UrzJDO
MD5:	46B8AD5D086BD58AFD2BC0A541B4B220
SHA1:	3F5887459120C58479BA43165F6E9EF02023140D
SHA-256:	24FB01F195907096AF43E1902A1B70A3084543C9FA11DBCB1756B34AC2AAE483
SHA-512:	8382E90F8CB80603F2D0B749F4CE540AC3ED9390C21FC22013FFB2D69802C18D739AB5320C9014785068E87F3AD26E0B60389BBEA507D73B6C4EF66AD514AEC8
Malicious:	false
Preview:	..9.... .......Y.......X\...;...{......................n.%..........\|.......\|..h.#..........\|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................Vt.....\|..................g.r......\|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07871813946654403
Encrypted:	false
SSDEEP:	3:OEetYeX0gNCsnXO6ne6nPSnXBXWrnXAllOE/tlnl+/rTc:OdzX0PGXOMeMcXh+XApMP
MD5:	6231913E0B8D8C2347E37AD25A1DB025
SHA1:	2C9C1EA2A929C3561AE18D732767AFD8039042B5
SHA-256:	6260D33C243D895729B147B0B7E7A0BC87BB00F2C3F2E56568EA58E66EFEBF23
SHA-512:	D512764E3F45EA3184472065540D1714310D8C686408E010D6EEF760A4A09F95DA20C8BA1820D24916E5734A9958C64642134183C190EA39FDAC446355744C5B
Malicious:	false
Preview:	...:.....................................;...{.......\|.......\|...............\|.......\|.....F.....\|..................g.r......\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Mon Oct 28 11:03:09 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2167
Entropy (8bit):	3.9006746833262875
Encrypted:	false
SSDEEP:	48:862U6mdO5G3BCZd5Y+d5YsP5qoZkmrSUp8JWqoZkmtw:86siL9O5qoZbcJWqoZbt
MD5:	F61CFB800A5298DEF576D9FD4D2EA860
SHA1:	CC0FFA56D6107B4BFE6F2E534CCA7536A79A6048
SHA-256:	12DC9CB1D4A62645C7FFC941EEE4AC3E5C1475EF807AA7A45A6EA689E3340C37
SHA-512:	986F481F66CE55CA0A8F9FB8E2578D0B4C47222C2886CB32CAE152071872336AFFDF9E3F5D7886100F9853849524E0597CEAA5820FCD56F4B7A74D6D81287C3E
Malicious:	false
Preview:	L..................F.@.. .....>......#.Z1)....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....\Yc`..PROGRA~2.........O.I\Yc`....................V......,..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....\Ye`..LITEMA~1..b......\Yc`\Ye`...........................C..L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.\Ye`..............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k.............'......C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1890
Entropy (8bit):	3.1573107695942624
Encrypted:	false
SSDEEP:	48:8ddOEPLqd5Y+d5YcCP5q2DT2S0Wq2DTKX7:85LJ9cM5qUoWqUE
MD5:	5FC67E19699B3F0B2AB7B4B89B0B3F1A
SHA1:	6F6380DF2EB8C5D30452A846864F001A8B0E473A
SHA-256:	45451F933B472FA53301D46B7C072AF67E51EC60172E6E9C01E0B308DF78A2F4
SHA-512:	81C7A9F5683DB54893BD26A6EC1BCBDB17983037668CD996E03934E7708331594195DBF2CCE9EB2B0C0567A9E8B24DD629D40866D49E55C9DF77A864D15744E5
Malicious:	false
Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..b............................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.h.2...........ROMServer.exe.L............................................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\In

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Mon Oct 28 11:03:09 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2159
Entropy (8bit):	3.8960676812781156
Encrypted:	false
SSDEEP:	48:8b2U6mdOs9eCZd5Y+d5Ys5qcxFWT84SslWqcxFWT8cw:8b5969s5qcxYT8SWqcxYT8c
MD5:	C6AA7F2B0B30D410E402707AF4EB74E4
SHA1:	B08077F8A6EADA7DD64869AAD47B274C514FB3B9
SHA-256:	B20112773E8008253745811BB3F8DFCE4694B17B2035EC5B3EFE8170DE6EFEDD
SHA-512:	69E4707565A5F72704169CCD0E26160B110808058BA9D1792090831C634A957031385ED4725F8276E9764877564C061CBE04ACE440A28096BC20C4586B11207A
Malicious:	false
Preview:	L..................F.@.. .....>......j.Z1)....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....\Yc`..PROGRA~2.........O.I\Yc`....................V......,..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....\Yd`..LITEMA~1..b......\Yc`\Yd`..........................S4;.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.\Yd`..............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k.............'......C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Wed Oct 4 09:56:56 2023, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
Category:	dropped
Size (bytes):	1953
Entropy (8bit):	3.8809425986964357
Encrypted:	false
SSDEEP:	48:8Wn0l9MSMb0rHOn5qmjlt6ScWqmjltZV:8w0loZn5qmjlmWqmjl
MD5:	E8722C2D55899FC1CA3FDEFAE9928708
SHA1:	E13D8E04499974C5A3170E3A565DB9F2DEBAF631
SHA-256:	89E0D75CE01D42F50447CFCEE3171CE3F91CCC7C9627FC9F3BB745CD55AD7D80
SHA-512:	0D76520534FD7A929FAE0DB8947CB903DD9301D213EFC5C93085598F4D220D20F9F965C00F498C8F26286DA7A937AA700A4EE2318461A0B1B7B9189AF547F5E8
Malicious:	false
Preview:	L..................F.@.. ...25.....1>.~....25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWR`..Windows.@......OwH\Y]`....3.........................W.i.n.d.o.w.s.....Z.1.....\Y[`..SysWOW64..B......O.I\Y]`....Y.........................S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBIDW.V................\|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M.............'......C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C6

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.145104270193998
Encrypted:	false
SSDEEP:	6:ydWJq2Pwkn2nKuAl9OmbnIFUt8hdWWrZmw+hdWWhkwOwkn2nKuAl9OmbjLJ:fvYfHAahFUt8br/+bh5JfHAaSJ
MD5:	553DF771E63955637137A2B825A8E429
SHA1:	25545F405609A33512B4AF882886476164EAA88A
SHA-256:	9E5BCBC261698E97FF5961D02A2DFED68A1980C9F2A0B83EF2DFDBAA724E3961
SHA-512:	D62ED68E14E426B69E2A1298F6B1D327B09B18756830DF88EC245B07E98B30B6FB030130BB9F4FE1932EFB4B3C1ADCD851389806779F77DE1DDA4887F78FF1E0
Malicious:	false
Preview:	2024/10/28-08:03:04.631 1c04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/28-08:03:04.633 1c04 Recovering log #3.2024/10/28-08:03:04.633 1c04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.145104270193998
Encrypted:	false
SSDEEP:	6:ydWJq2Pwkn2nKuAl9OmbnIFUt8hdWWrZmw+hdWWhkwOwkn2nKuAl9OmbjLJ:fvYfHAahFUt8br/+bh5JfHAaSJ
MD5:	553DF771E63955637137A2B825A8E429
SHA1:	25545F405609A33512B4AF882886476164EAA88A
SHA-256:	9E5BCBC261698E97FF5961D02A2DFED68A1980C9F2A0B83EF2DFDBAA724E3961
SHA-512:	D62ED68E14E426B69E2A1298F6B1D327B09B18756830DF88EC245B07E98B30B6FB030130BB9F4FE1932EFB4B3C1ADCD851389806779F77DE1DDA4887F78FF1E0
Malicious:	false
Preview:	2024/10/28-08:03:04.631 1c04 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/28-08:03:04.633 1c04 Recovering log #3.2024/10/28-08:03:04.633 1c04 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.145613633667834
Encrypted:	false
SSDEEP:	6:ydEzIq2Pwkn2nKuAl9Ombzo2jMGIFUt8hdEf0XZmw+hdWgPkwOwkn2nKuAl9OmbX:WvYfHAa8uFUt8//+75JfHAa8RJ
MD5:	4BC68D06D9633C97935EFFD9C3757CE9
SHA1:	FEC5D8E1974DC37A9A4BAF54D0822371D548B5CD
SHA-256:	581A1EF74A6C4D45CD98B02AF6FF6905B70B925B2FF206E6ED5FE57E09803428
SHA-512:	75DB983746037F23A26F3B4C399956579AAC7E6CC5B33DB9769E6E43C6CBCBCBFF6689207F5C759C84DC782A3D6B08645DC1AEDE36A6C587F42044F7FEFC7812
Malicious:	false
Preview:	2024/10/28-08:03:04.628 1ce4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/28-08:03:04.629 1ce4 Recovering log #3.2024/10/28-08:03:04.630 1ce4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.145613633667834
Encrypted:	false
SSDEEP:	6:ydEzIq2Pwkn2nKuAl9Ombzo2jMGIFUt8hdEf0XZmw+hdWgPkwOwkn2nKuAl9OmbX:WvYfHAa8uFUt8//+75JfHAa8RJ
MD5:	4BC68D06D9633C97935EFFD9C3757CE9
SHA1:	FEC5D8E1974DC37A9A4BAF54D0822371D548B5CD
SHA-256:	581A1EF74A6C4D45CD98B02AF6FF6905B70B925B2FF206E6ED5FE57E09803428
SHA-512:	75DB983746037F23A26F3B4C399956579AAC7E6CC5B33DB9769E6E43C6CBCBCBFF6689207F5C759C84DC782A3D6B08645DC1AEDE36A6C587F42044F7FEFC7812
Malicious:	false
Preview:	2024/10/28-08:03:04.628 1ce4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/28-08:03:04.629 1ce4 Recovering log #3.2024/10/28-08:03:04.630 1ce4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3ade6756-136a-4bff-8585-0695ce0ff1be.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.973413864143525
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqsN7MhsBdOg2HtzZcaq3QYiubInP7E4T3y:Y2sRdsp7XdMH9g3QYhbG7nby
MD5:	4464D65AC3D17BF3D4CC20C2A36EAC3C
SHA1:	214C10128288C15079242CFCBC6086D14F8A73E9
SHA-256:	5A3D224D1734D4F23AE55ECCB3798328F5E4E0BA5226FCA2209E9D1A72EFBF4A
SHA-512:	89F06D1A4EE963A42E6E0284AC535A477DC65CD20FD1281196578AEA75041CE7E0D4B5C301E23F67096294A7FB0EA2366F3794F20D03D26CF948FDB312D2D1D0
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13374676991157174","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":279070},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.973413864143525
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqsN7MhsBdOg2HtzZcaq3QYiubInP7E4T3y:Y2sRdsp7XdMH9g3QYhbG7nby
MD5:	4464D65AC3D17BF3D4CC20C2A36EAC3C
SHA1:	214C10128288C15079242CFCBC6086D14F8A73E9
SHA-256:	5A3D224D1734D4F23AE55ECCB3798328F5E4E0BA5226FCA2209E9D1A72EFBF4A
SHA-512:	89F06D1A4EE963A42E6E0284AC535A477DC65CD20FD1281196578AEA75041CE7E0D4B5C301E23F67096294A7FB0EA2366F3794F20D03D26CF948FDB312D2D1D0
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13374676991157174","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":279070},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.250715179537171
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo78Zm8:etJCV4FiN/jTN/2r8Mta02fEhgO73goO
MD5:	53D271A53A7F5BAACB2D29662793EED1
SHA1:	7537F5E302CF0D70B3E573E639880566974738BF
SHA-256:	E7448C30CA6CE3948B13D278C8BE29CD9A3065F5168B128EEA522E0B1292D0C3
SHA-512:	37CE05C6017683851CDFDD6F388661D7969983E12FDAE143AE5217E9C053EE42477D93BE3A724D9531B6115B63B602CA220FE5258CD5938E9EDA2E26D442B26E
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.170253307539203
Encrypted:	false
SSDEEP:	6:y6xJ9q2Pwkn2nKuAl9OmbzNMxIFUt8h6xSuGQZmw+h6xSuGYkwOwkn2nKuAl9Omk:jxPvYfHAa8jFUt88xSu/+8xSC5JfHAab
MD5:	9FDC830DC5241312429B6C064771244C
SHA1:	5A40FC0C2829FDF8F705A6BB841F355E8B713950
SHA-256:	351358C8E96CAFB15C51C0E4BE3D5AEDD02B72A39F6BA5ABC12861E460967791
SHA-512:	D830DD1EBD1E25DFCCA708060E598E8A07CE0DEB28B7359A9CB8B6A94E4DE2AB9382355A444911ABE35524F4943809D01CCFD77CD104A315332188E1C1BF9D75
Malicious:	false
Preview:	2024/10/28-08:03:05.426 1ce4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/28-08:03:05.427 1ce4 Recovering log #3.2024/10/28-08:03:05.427 1ce4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.170253307539203
Encrypted:	false
SSDEEP:	6:y6xJ9q2Pwkn2nKuAl9OmbzNMxIFUt8h6xSuGQZmw+h6xSuGYkwOwkn2nKuAl9Omk:jxPvYfHAa8jFUt88xSu/+8xSC5JfHAab
MD5:	9FDC830DC5241312429B6C064771244C
SHA1:	5A40FC0C2829FDF8F705A6BB841F355E8B713950
SHA-256:	351358C8E96CAFB15C51C0E4BE3D5AEDD02B72A39F6BA5ABC12861E460967791
SHA-512:	D830DD1EBD1E25DFCCA708060E598E8A07CE0DEB28B7359A9CB8B6A94E4DE2AB9382355A444911ABE35524F4943809D01CCFD77CD104A315332188E1C1BF9D75
Malicious:	false
Preview:	2024/10/28-08:03:05.426 1ce4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/28-08:03:05.427 1ce4 Recovering log #3.2024/10/28-08:03:05.427 1ce4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.445096135519542
Encrypted:	false
SSDEEP:	384:yezci5tliBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:rOs3OazzU89UTTgUL
MD5:	8F2966626433267E3206A1F9F47228E0
SHA1:	003D691842C02F669DCA289B41336DD28F1F7DE7
SHA-256:	DE27F4580DF45B066D99C62201C07F482B9ACDDFF8700ABF2FAF7C1E38CF8A3C
SHA-512:	2775AC250BB672FF91B91FFC0C9F9050A4E6B027A897D6DA7A9C2F3B391A232CAB773C24DF8CD2E95B7357229B6D1A070BDF8459334C494BFB46163E06A6DD46
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.777239878707144
Encrypted:	false
SSDEEP:	48:7M2p/E2ioyVj1ioy9oWoy1Cwoy1W+KOioy1noy1AYoy1Wioy1hioybioycPoy1nz:7ppjuj1FZGXKQP9Ub9IVXEBodRBkA
MD5:	C901C2C95CCE670D53B1373B6F676062
SHA1:	86AE169025BCB69B0287B12131D44338348CA96F
SHA-256:	3BF9D4CBB79A46F9EEEACA3468EF6A58DF9FAA2A5811D0AD60CB7A0F71101D61
SHA-512:	0F598CAB229103412CCEC9BABAC747280B685FDAFE0B86A04936AB9AD1422047513E3AB2C7D7E013065C75FCECC3805345374F94BD086FB09097B3C1C94949E6
Malicious:	false
Preview:	.... .c......@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.756901573172974
Encrypted:	false
SSDEEP:	3:kkFklxx069PtfllXlE/HT8kPJ/tNNX8RolJuRdxLlGB9lQRYwpDdt:kKV8eT8IJ7NMa8RdWBwRd
MD5:	AF32931264950EE2BFDC6191845B8C95
SHA1:	577CDACCD379456DECF3648F7B4360C4AB85196F
SHA-256:	CC586AE162D671869BAFA44B7C6C8647F5879049BC165055A5FF42FFFBB64A12
SHA-512:	CC6464EDD8414690DB7F0EE03D1FAFF2AE2BE7F30B954D23C15B4FC55F0E443F637EFA4982380915EB7A6AE635F71272F0B24D6F52C2346E7CE23912AE408151
Malicious:	false
Preview:	p...... ..........._1)..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1333860653411176
Encrypted:	false
SSDEEP:	6:kK7kL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:DkiDnLNkPlE99SNxAhUe/3
MD5:	00F4A22B88A4BA799A71606AD9D98EDF
SHA1:	976A1BC0ADD75F859345E332A41F344E662EEA56
SHA-256:	5A7221F663A4DAAB7F27874F69B349495DEA08469D6B25A176C0446FA5F66F61
SHA-512:	BCE4C98072EF14AEFDA4AC7A9049D421BD6BC9FEBE065C5678AB2CE1883B609CE6EC7586CD3B9BA55CF815014CE776924A08A7740BF08893D7F3A57786F2B7CA
Malicious:	false
Preview:	p...... ........iB.`1)..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6672

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2145
Entropy (8bit):	5.066534504476633
Encrypted:	false
SSDEEP:	48:Yx2sL0/EY0bMSlMtCM5mMOpiMAW0MretMSMmkaMY:pv/SYtt55V6AWLre6JmkhY
MD5:	154C2E379462487395186278E48BC8F2
SHA1:	B21F57BD3E3E394758F1EB8540F9912DF92F79DF
SHA-256:	A07139AEA1CCFECAA8D4D9FF60D2E07375EF3C964CEC15F3E1C5CF79A9CA02CF
SHA-512:	6CE00A73982C814E2748BC2D976213040AA33D97B5BB52F97BF902A228C6AD489CC9732369892C452319EB42C4BFE808925DD3342797765A5AEA6004F355FABD
Malicious:	false
Preview:	{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1730116987000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"23c88c8acf166d9fda5ae4d83df3db72","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696420889000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"d5fa85f4cf271b5fa75367efd1b392fa","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696420884000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"7c2ad79e375e3ea39f82a389e8a5841f","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696420882000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"c3af48ba3dee086edbbf20dff46c7ee0","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696333862000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"7101e009d8bf8920d0a3dd3f5dc75ebc","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696333862000},{"id":"DC_Reader_Edit_LHP_Banner"

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1873812018033258
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUUuxuqSvR9H9vxFGiDIAEkGVvpixuM:lNVmswUUUUUUUUfq+FGSItfM
MD5:	83EA171C10E13F70C2BCB06E0E5E4CF4
SHA1:	0417DA3FC6A26F29A3CF9A550D514FAF79B86B0A
SHA-256:	7D9D9CC72885BBC79EB89549514E578A58F86C4C67F05B37E011E7FE33169B6B
SHA-512:	A0F9C658F0AAB956B14B9AD2CCB62FC06917FA5EA2B3002551E7DAC4D9E24FA810DE2EA99940448A4613997B8B3E3E26491F5939961513B324309814DDE1EEC9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6073608217166704
Encrypted:	false
SSDEEP:	48:7M+KUUUUUUUUUUuxuIvR9H9vxFGiDIAEkGVvWqFl2GL7msx:7yUUUUUUUUUUfgFGSItcKVmsx
MD5:	73D5AC5CABBDCC735A6D5F2E2B506A18
SHA1:	DCC8870F73FF4BE3CBB248C2C6BA249D887B1FFF
SHA-256:	A629B08CCE383B0AF17B04B6D55C245D095F6D5F2BB710F6F69BA060925D919E
SHA-512:	701AD9EC679BD664CAFCDA7B8C35636FB7CE9EF854A20BC365E8E2EEEE7FA1EDD438094F2FD93E859F119C2A59F3375479428669E8F82AF3D2810C2EC84B87F7
Malicious:	false
Preview:	.... .c.....$.!.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Doc.pdf

Download File

Process:	C:\Users\user\Desktop\0438.pdf.exe
File Type:	PDF document, version 1.7, 1 pages (zip deflate encoded)
Category:	dropped
Size (bytes):	125552
Entropy (8bit):	7.579988719622451
Encrypted:	false
SSDEEP:	1536:N0N5xSlECZcbZ42IlWpy67H/AvLpMpBXCF4KMvX6UkMZdEMLHMgifPdEoLIeLA+6:CNPSiJZ4xy8DlivXREMBOlEoMeLjCiQ
MD5:	7827620BA2CD12D54B41C006BA4D686C
SHA1:	F6B40CB23006AD0E1AFD4C08CA943A75258FAB34
SHA-256:	9DAA46F8D84B0E65E2D5FDF7FCD80FF6CA922278C32A2B5C9425C0C5EF7D2096
SHA-512:	9782FB4DBA6F62A589BF213AE5CCE3F66514319363F499B584DC854ACC1DCD94221102BDDAC982AA9DB36C5B7696BD1ABACF7C15771CDECC317B2F3421CCA321
Malicious:	false
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 11 0 R/MarkInfo<</Marked true>>/Metadata 22 0 R/ViewerPreferences 23 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image9 9 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 188>>..stream..x.E.K..@.......R..!.4 .\|$FB.."ZH.+............x.h..!/."..f....X.Q.8M.D0aGK..+.J{x.....(.kJ.FBJ&\|.7J...H..f..%..Nory..M'...m9%g.......4.(AV&............2...H..B...Z..o.V#.c.....6k..endstream..endobj..5 0 obj..<</Type/Font/Subtype/TrueType/Name/F1/BaseFont/BCDEEE+Calibri/Encoding/WinAnsiEncoding/FontDescriptor 6 0 R/FirstChar 32/LastChar 32/Widths 20 0 R>>..endobj..6 0 obj..<</Type/FontDescriptor/FontName/BCDEEE+Calibri/Flags 3

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-28 08-03-06-625.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.363442924398914
Encrypted:	false
SSDEEP:	384:pZNgKabIpfQq6F4ZNyYTPdbaK5SgxDzcYv7DZDPDnD5D0WLdSWtqwmzQomfmzKjG:rdu
MD5:	1BB862FC525CCE1E4377367E4990CE85
SHA1:	FE4BE9C408803FA2DDDD6F1C13214CFC4F45568F
SHA-256:	408F1A7E929738EE6EBAB86F4B132896F3675790CB1665349BAC326C48F7F5E3
SHA-512:	B23F31CFEF7D6DD53229C10EA20D0A286ED0B57EA9ACAF236168337FAFD48BDC73D4778120C41ED2EC48F4F4DC29B250B7BA55D59EEC880CBCCA599520B31A5C
Malicious:	false
Preview:	SessionID=a9f52ce0-0760-4b9d-823d-ffdccc1b49e2.1730116986655 Timestamp=2024-10-28T08:03:06:655-0400 ThreadID=7864 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=a9f52ce0-0760-4b9d-823d-ffdccc1b49e2.1730116986655 Timestamp=2024-10-28T08:03:06:671-0400 ThreadID=7864 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=a9f52ce0-0760-4b9d-823d-ffdccc1b49e2.1730116986655 Timestamp=2024-10-28T08:03:06:671-0400 ThreadID=7864 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=a9f52ce0-0760-4b9d-823d-ffdccc1b49e2.1730116986655 Timestamp=2024-10-28T08:03:06:671-0400 ThreadID=7864 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=a9f52ce0-0760-4b9d-823d-ffdccc1b49e2.1730116986655 Timestamp=2024-10-28T08:03:06:672-0400 ThreadID=7864 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.390804789614036
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rt:x
MD5:	4D92A5DE128FFAE540B36DA5F371BA22
SHA1:	AEE72E8C42CEA59423AC9EBADE1B5EC326C4C989
SHA-256:	83F6FDB56605A703AEE2A8DE3904D939E860C2108F36465F2FEBED5B1E8828AC
SHA-512:	166793A06C19FB625A0B58E45E708758603447A0F37745EC856F0C7B01042470A6EC10102B2ADB9A46AC4DA2E6BEBC24A2E899A83B8BDC699D48EDA0E885F414
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\056300dc-35a5-4a50-8486-d0822644552a.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\385381fc-68b1-4a6f-92e2-0f5dcb19ad9c.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\8ff991c0-145c-4088-84c0-e74ca71b14a0.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
MD5:	95F182500FC92778102336D2D5AADCC8
SHA1:	BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
SHA-256:	9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
SHA-512:	D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\de91ca0e-b050-441d-bd3b-fad6b26627fb.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\pdf.msi

Download File

Process:	C:\Users\user\Desktop\0438.pdf.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11554816
Entropy (8bit):	7.9382387394429115
Encrypted:	false
SSDEEP:	196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	0C88F651EEA7EBD95DF08F6A492FCB38
SHA1:	93E622BB18056BB61DD11805D91AB1F9267CBD67
SHA-256:	A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
SHA-512:	41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\5ded59.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11554816
Entropy (8bit):	7.9382387394429115
Encrypted:	false
SSDEEP:	196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	0C88F651EEA7EBD95DF08F6A492FCB38
SHA1:	93E622BB18056BB61DD11805D91AB1F9267CBD67
SHA-256:	A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
SHA-512:	41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\5ded5c.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11554816
Entropy (8bit):	7.9382387394429115
Encrypted:	false
SSDEEP:	196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	0C88F651EEA7EBD95DF08F6A492FCB38
SHA1:	93E622BB18056BB61DD11805D91AB1F9267CBD67
SHA-256:	A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
SHA-512:	41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIF170.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	294216
Entropy (8bit):	4.850868787679576
Encrypted:	false
SSDEEP:	3072:Eooy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+oNbynfq:Eooy25DXmNDXLDXX+oNbynfq
MD5:	ECF827A6C56F530DF2AE358AA45B39BA
SHA1:	8799549BB3CDF84012C2663A69885F7832D6FC57
SHA-256:	7C42E6EC697CEDC45D843EBCA3A3B3B177442F9ACA392345EB699E8EB6C8657F
SHA-512:	6CAC285C16D9CD54FEBC2EA64CA99EEDF8FD3F94B301ADE57F74B5DC01AA981B1F7B60A80B71F800D52083E5F92991A6F6C3EA7C8240A1A1D29DC42F5ED6D8E0
Malicious:	false
Preview:	...@IXOS.@.....@c@\Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49

C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1623296500065194
Encrypted:	false
SSDEEP:	12:JSbX72FjHaAGiLIlHVRpqh/7777777777777777777777777vDHFGpZl0i8Q:JkQI56dF
MD5:	4C94D03FC8BEB4F1DD925B57C9CEAE42
SHA1:	B3FAA4DAAE5F39A5C0D3964BC892EE338719C2BC
SHA-256:	568F726B532CC68D639B2E5E82930546306FDFAB31F08D2AB7313B7794BD6F91
SHA-512:	47153142B64FF90033F6BB59DF9D945F2F5E87131BBF2A7786E3C7783DA64B4757F2A3E8F7CE2221830B450C5D1587A83B996017AC7BD3C215C4E820ACDED4D1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7853557379270208
Encrypted:	false
SSDEEP:	48:p8Ph+uRc06WXJMFT5Rd9gz9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y4o9ISB29l2:kh+1vFTQsm0WlfPuWqC0WlfIF/
MD5:	8DA482A5572BF4E410771AAAD260B3B8
SHA1:	43AE61E0AE19355004D10BBDBB9004BD5A2F6E2F
SHA-256:	317B2017FF3E57E0F18B3ABE52D7F754E5F42156EB0EFD94454B979105806E18
SHA-512:	A6C9A609C52D8D850D4EC1C61017E35DBC597FB8AE05C0DCE33943456A34F25D8039728934CB2E63E75A0B456473B98F484CD8A12A6EFD50FD41F4BA168198A5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.351781833522881
Encrypted:	false
SSDEEP:	384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
MD5:	CA680899D9330BEB85E6351E6DC0D27B
SHA1:	41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
SHA-256:	EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
SHA-512:	3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.31126714354722
Encrypted:	false
SSDEEP:	384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
MD5:	6A4AFFF2CD33613166B37A0DAB99BD41
SHA1:	FBC0F1696213B459D099A5809D79CFC01253880F
SHA-256:	53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
SHA-512:	7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375164509042872
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaur:zTtbmkExhMJCIpErG
MD5:	4A7419C98A88F6E5126DDD1596FF695C
SHA1:	5823943875E105823B879C38BE933368F795D2A9
SHA-256:	34A91AB64FD8E07802FF8DD37FF7AE46EA94AE41E3A4F1BE7939DA203CF65E1B
SHA-512:	C304ED3E809F5017D264E8AFFE25D17BAB636D3C477D1F868D65D43904691B694AA4A79DD1C49BC2B4BA8AB6CD876AB165A47D4059F2BB712DA66791FD689F72
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Temp\~DF42DE396B7EE83764.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF45AC3021BD27BEC3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.414888628076449
Encrypted:	false
SSDEEP:	48:JlWuDO+CFXJBT55qid9gz9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y4o9ISB29lOp:HWfZT3osm0WlfPuWqC0WlfIF/
MD5:	AFC19C2D1371EC50FDBA9785DD83D8E3
SHA1:	2C86D166FE40625D68DAA3BBE99BC5AD249C64B6
SHA-256:	A045AF27F07921AAAF31227EE26040E7B1576DB6F5CD5A59873B44FE0643BE2F
SHA-512:	475A0F9394380EBD149B2F2E26745E3DB0582E885D6C5B1F16629ABD2BEFCCE295285F36C462ED5F76B9F68949492AC3544DE17CD6096755F447C20FEE807735
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4CCBE10C98230B6C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C26B53625FAA733.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.414888628076449
Encrypted:	false
SSDEEP:	48:JlWuDO+CFXJBT55qid9gz9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y4o9ISB29lOp:HWfZT3osm0WlfPuWqC0WlfIF/
MD5:	AFC19C2D1371EC50FDBA9785DD83D8E3
SHA1:	2C86D166FE40625D68DAA3BBE99BC5AD249C64B6
SHA-256:	A045AF27F07921AAAF31227EE26040E7B1576DB6F5CD5A59873B44FE0643BE2F
SHA-512:	475A0F9394380EBD149B2F2E26745E3DB0582E885D6C5B1F16629ABD2BEFCCE295285F36C462ED5F76B9F68949492AC3544DE17CD6096755F447C20FEE807735
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5FE22D5405ED6D6C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.22131176310390613
Encrypted:	false
SSDEEP:	48:PHwmFSB29lOd5YpRXd5YNd5YGd5YMd5Yu9mSvOd5YpRXd5YNd5YGd5YMd5YP6AdP:PH5FqC0WlfVm0WlfPux
MD5:	F7796F2E111E686E7E03660D47F3D38C
SHA1:	AEE8238B3F99C37B5A44E9A8689A51C07D41CC92
SHA-256:	E0CF915A8138BD494797C311C94BBE0F33428A483B6D79E36C0198487CF81F6C
SHA-512:	C384BCD42B39FCD53EF6A6EE5091AAF0C0D5043289B03DD9D17E351E39D038DA56DA84BA90A40BDDC1135C0D7A56367FB558DC180C308A17E4B95397000BF4B9
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF63E8EF42D32B613C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06823846717123914
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOYYbmc6Vky6lZ:2F0i8n0itFzDHFTZ
MD5:	43121AF9C0468049B811D5DE9EE986C6
SHA1:	3D65F87A3C467D0DE2BF8F07A60621B947A9CE4C
SHA-256:	592C5B6D2ADD44B5EFCE1D5A353279925147188A1C15B56B1189E89FE97374E0
SHA-512:	0B09D5648F1374083996F24FF71AE87B22F152D907C91B84567CA27B985F05C447AF27527A3E760F44817300DB8680F73F5D86A36B9DC157AA3E6C5BB6BC6831
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6549AADF6D5BA542.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF81E3241384E5378F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF88E3172C15F4A6D8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAC43667DFBA84D08.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7853557379270208
Encrypted:	false
SSDEEP:	48:p8Ph+uRc06WXJMFT5Rd9gz9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y4o9ISB29l2:kh+1vFTQsm0WlfPuWqC0WlfIF/
MD5:	8DA482A5572BF4E410771AAAD260B3B8
SHA1:	43AE61E0AE19355004D10BBDBB9004BD5A2F6E2F
SHA-256:	317B2017FF3E57E0F18B3ABE52D7F754E5F42156EB0EFD94454B979105806E18
SHA-512:	A6C9A609C52D8D850D4EC1C61017E35DBC597FB8AE05C0DCE33943456A34F25D8039728934CB2E63E75A0B456473B98F484CD8A12A6EFD50FD41F4BA168198A5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC681714374F9FC20.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.414888628076449
Encrypted:	false
SSDEEP:	48:JlWuDO+CFXJBT55qid9gz9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y4o9ISB29lOp:HWfZT3osm0WlfPuWqC0WlfIF/
MD5:	AFC19C2D1371EC50FDBA9785DD83D8E3
SHA1:	2C86D166FE40625D68DAA3BBE99BC5AD249C64B6
SHA-256:	A045AF27F07921AAAF31227EE26040E7B1576DB6F5CD5A59873B44FE0643BE2F
SHA-512:	475A0F9394380EBD149B2F2E26745E3DB0582E885D6C5B1F16629ABD2BEFCCE295285F36C462ED5F76B9F68949492AC3544DE17CD6096755F447C20FEE807735
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDA8B0FE1B39C2BDE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7853557379270208
Encrypted:	false
SSDEEP:	48:p8Ph+uRc06WXJMFT5Rd9gz9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y4o9ISB29l2:kh+1vFTQsm0WlfPuWqC0WlfIF/
MD5:	8DA482A5572BF4E410771AAAD260B3B8
SHA1:	43AE61E0AE19355004D10BBDBB9004BD5A2F6E2F
SHA-256:	317B2017FF3E57E0F18B3ABE52D7F754E5F42156EB0EFD94454B979105806E18
SHA-512:	A6C9A609C52D8D850D4EC1C61017E35DBC597FB8AE05C0DCE33943456A34F25D8039728934CB2E63E75A0B456473B98F484CD8A12A6EFD50FD41F4BA168198A5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9367051756500695
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0438.pdf.exe
File size:	11'654'747 bytes
MD5:	2d11dba46735af1cb1c0a42e9564e20d
SHA1:	b2e17960c6d080f7aba7df87f57c08b4bc2e7051
SHA256:	e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
SHA512:	f053c18333c256c87492e7e74832f2ba695c1633cc80d59e4d426eda82d27d7402a22803e439bb2453f4fa12f00697de355edd61c300b7624c66723d7e54dad0
SSDEEP:	196608:tqwvI8YbsGBCEfbi57P6mCRTMFCxZ9zzvHLbax3QS+hbEPjwDhZzczDlUxMUd:ZIRwGjfbi5DCRoOPzzvfaEAPgOHm5d
TLSH:	42C6331BFF5D04EAF1AF99F899415022D7B57CC51720868F23B43E4AED736A1AA35302
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	3570b080889388e1

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4CFCF0F498h
dec eax
add esp, 28h
jmp 00007F4CFCF0EE2Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F4CFCF0E2B3h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F4CFCF0EFC3h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F4CFCF10FD7h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F4CFCEFD843h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F4CFCF10092h
int3
jmp 00007F4CFCF16274h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x5f334	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x5f334	0x5f400	ac83509a9abddcfebcee4527be350f1a	False	0.06483503526902887	data	2.1781366278912278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x7118c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72738	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m			0.023615261709619195
RT_ICON	0xb4760	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m			0.3191489361702128
RT_ICON	0xb4bc8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m			0.11867219917012448
RT_ICON	0xb7170	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m			0.17284240150093808
RT_ICON	0xb8218	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m			0.04436294806577547
RT_ICON	0xc8a40	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m			0.08644307982994803
RT_DIALOG	0xccc68	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0xccef0	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0xcd02c	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0xcd118	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0xcd248	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0xcd580	0x252	data	English	United States	0.5757575757575758
RT_STRING	0xcd7d4	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0xcd9b8	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0xcdb84	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0xcdd3c	0x146	data	English	United States	0.5153374233128835
RT_STRING	0xcde84	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0xce2f0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0xce458	0x152	data	English	United States	0.5059171597633136
RT_STRING	0xce5ac	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0xce6b8	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0xce774	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0xce934	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0xceb84	0x5a	data			0.7555555555555555
RT_MANIFEST	0xcebe0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 13:04:17.094243050 CET	52490	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.099571943 CET	5651	52490	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.099783897 CET	52490	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.121762991 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.126396894 CET	52492	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.127157927 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.127268076 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.132590055 CET	80	52492	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.132666111 CET	52492	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.141359091 CET	52493	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.146862984 CET	465	52493	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.147038937 CET	52493	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.156697035 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.162014008 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:17.162094116 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.173619986 CET	52495	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.179038048 CET	5555	52495	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:17.179107904 CET	52495	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.232009888 CET	52490	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.232009888 CET	52490	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.238190889 CET	5651	52490	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.238390923 CET	5651	52490	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.247670889 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.247781038 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.253376961 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.253447056 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.263282061 CET	52492	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.263315916 CET	52492	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.268676043 CET	80	52492	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.268774986 CET	80	52492	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.279118061 CET	52493	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.279213905 CET	52493	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.284622908 CET	465	52493	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.284642935 CET	465	52493	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.294516087 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.294543982 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.299983025 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:17.300216913 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:17.310162067 CET	52495	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.310179949 CET	52495	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:17.315587044 CET	5555	52495	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:17.315721989 CET	5555	52495	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:17.800757885 CET	5651	52490	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.800837040 CET	52490	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.801829100 CET	52490	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.807563066 CET	5651	52490	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.857990026 CET	80	52492	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:17.858130932 CET	52492	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.858131886 CET	52492	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:17.863895893 CET	80	52492	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:18.074270010 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:18.074690104 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:18.074771881 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:18.074771881 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:18.074771881 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:18.074771881 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:18.080353975 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:18.080374956 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:18.080483913 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:18.081166983 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:18.083861113 CET	80	52494	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:18.084253073 CET	52494	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:18.163978100 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:18.164288044 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:18.164335012 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:18.164335012 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:18.164567947 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:18.169907093 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:18.169918060 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:18.169926882 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:18.169935942 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:18.620912075 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:18.669434071 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:19.622366905 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:19.669378996 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:20.636821985 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:20.684994936 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:21.652997017 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:21.700647116 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:23.014738083 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:23.060051918 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:23.667984009 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:23.716243029 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:24.671868086 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:24.716259956 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:25.626379967 CET	465	52493	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:25.626445055 CET	52493	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:25.626617908 CET	52493	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:25.632119894 CET	465	52493	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:25.665520906 CET	5555	52495	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:25.665620089 CET	52495	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:25.666460037 CET	52495	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:04:25.671791077 CET	5555	52495	65.21.245.7	192.168.2.4
Oct 28, 2024 13:04:26.115490913 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:26.169379950 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:26.700434923 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:26.747513056 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:27.713608027 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:27.763132095 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:28.726632118 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:28.778750896 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:29.737915993 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:29.778762102 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:30.751249075 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:30.794401884 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:31.761497974 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:31.888204098 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:32.132455111 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:32.132498980 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:32.777002096 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:32.888200045 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:33.789060116 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:33.888144970 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:34.800589085 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:34.982599020 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:35.988493919 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:36.091259003 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:36.824269056 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:36.888144970 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:39.131823063 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:39.134901047 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:39.134999990 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:39.135536909 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:39.135600090 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:39.135818958 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:39.136039972 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:39.145056009 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:39.145243883 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:39.846585989 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:39.888170004 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:40.910686970 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:40.911442041 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:40.911499977 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:40.981904030 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:41.867408037 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:42.091747999 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:42.881026983 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:43.091294050 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:44.521070957 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:44.521738052 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:44.521811008 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:44.910048962 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:45.091279984 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:45.917553902 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:46.091342926 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:46.937484026 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:47.091360092 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:47.928744078 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:48.091306925 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:48.934154034 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:49.091290951 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:49.948904037 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:50.091289997 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:50.964219093 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:51.091304064 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:51.965250015 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:52.091355085 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:52.964787006 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:53.091291904 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:53.981590986 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:54.028798103 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:54.996093988 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:55.044446945 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:56.007777929 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:56.060065985 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:57.007819891 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:57.060065985 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:58.008553982 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:58.060082912 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:04:59.018881083 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:04:59.060096025 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:00.028269053 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:00.075741053 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:01.043256044 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:01.091336966 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:02.047158957 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:02.091332912 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:03.068152905 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:03.122570992 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:04.078856945 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:04.122589111 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:05.075536966 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:05.122560024 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:06.089363098 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:06.138370037 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:08.112263918 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:08.117508888 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:08.117567062 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:08.118221045 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:08.118263960 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:08.122847080 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:08.122908115 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:09.119069099 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:09.169467926 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:10.126230001 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:10.175537109 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:11.136408091 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:11.187357903 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:12.137862921 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:12.185094118 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:13.153532028 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:13.200738907 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:14.167984009 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:14.216341972 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:15.182928085 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:15.231964111 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:16.194802046 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:16.249376059 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.094410896 CET	52645	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.099863052 CET	5651	52645	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.099945068 CET	52645	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.110012054 CET	52646	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.115428925 CET	80	52646	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.115503073 CET	52646	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.125236988 CET	52647	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.130662918 CET	465	52647	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.130728006 CET	52647	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.140645981 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.146112919 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:17.146190882 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.156493902 CET	52649	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.161851883 CET	5555	52649	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:17.161953926 CET	52649	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.209681034 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.232247114 CET	52645	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.232314110 CET	52645	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.237662077 CET	5651	52645	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.237694025 CET	5651	52645	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.247739077 CET	52646	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.247773886 CET	52646	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.253102064 CET	80	52646	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.253113985 CET	80	52646	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.263207912 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.263371944 CET	52647	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.263401985 CET	52647	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.268642902 CET	465	52647	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.268657923 CET	465	52647	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.279067039 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.279067039 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.284459114 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:17.284470081 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:17.294627905 CET	52649	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.294627905 CET	52649	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:17.299997091 CET	5555	52649	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:17.300015926 CET	5555	52649	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:17.792422056 CET	5651	52645	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.792567968 CET	52645	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.792650938 CET	52645	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.797919989 CET	5651	52645	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.801698923 CET	80	52646	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:17.801775932 CET	52646	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.801878929 CET	52646	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:17.807305098 CET	80	52646	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:18.026871920 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:18.027048111 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:18.027048111 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:18.027092934 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:18.027092934 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:18.027208090 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:18.034317970 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:18.034329891 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:18.034338951 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:18.035114050 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:18.035124063 CET	80	52648	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:18.035238028 CET	52648	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:18.219513893 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:18.263242006 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:19.230125904 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:19.278841972 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:20.236087084 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:20.278871059 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:21.245778084 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:21.294477940 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:22.258245945 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:22.310151100 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:23.267693043 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:23.310281038 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:24.278536081 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:24.327219009 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:25.288850069 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:25.341475964 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:25.611968040 CET	465	52647	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:25.612023115 CET	52647	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:25.612093925 CET	52647	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:25.617965937 CET	465	52647	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:25.669095039 CET	5555	52649	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:25.669315100 CET	52649	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:25.669315100 CET	52649	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:05:25.674700975 CET	5555	52649	65.21.245.7	192.168.2.4
Oct 28, 2024 13:05:26.292628050 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:26.341353893 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:27.300339937 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:27.341368914 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:28.300540924 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:28.341371059 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:29.316926956 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:29.356988907 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:30.629554987 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:30.685121059 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:31.339144945 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:31.388252974 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:32.350308895 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:32.403881073 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:33.349472046 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:33.403882027 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:34.350080013 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:34.403909922 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:35.351964951 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:35.403884888 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:36.362292051 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:36.404299021 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:37.431360006 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:37.431405067 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:37.431411982 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:37.431437016 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:37.433137894 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:37.482006073 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:38.377535105 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:38.419509888 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:39.389265060 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:39.435158968 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:40.401874065 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:40.450759888 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:41.417315960 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:41.466382027 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:42.421360016 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:42.466403961 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:43.545223951 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:43.591397047 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:44.436609983 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:44.482068062 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:45.449007034 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:45.497656107 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:46.463957071 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:46.513309002 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:47.483206034 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:47.528914928 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:48.486948013 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:48.528911114 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:49.498542070 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:49.544531107 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:50.511214972 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:50.560138941 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:51.524977922 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:51.575908899 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:52.587162018 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:52.638287067 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:53.855253935 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:53.903915882 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:54.556355953 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:54.607037067 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:55.567001104 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:55.607028961 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:56.581702948 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:56.622675896 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:57.595287085 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:57.638308048 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:58.596250057 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:58.638326883 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:05:59.608089924 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:05:59.653985977 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:00.922553062 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:00.966684103 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:01.621368885 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:01.669590950 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:02.621046066 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:02.669768095 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:03.625032902 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:03.669548988 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:04.637660027 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:04.700795889 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:05.653567076 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:05.700809002 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:06.667471886 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:06.716419935 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:07.682764053 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:07.732042074 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:08.685148001 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:08.732054949 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:09.701498985 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:09.747694969 CET	52491	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:06:10.714524984 CET	8080	52491	111.90.140.76	192.168.2.4
Oct 28, 2024 13:06:10.763434887 CET	52491	8080	192.168.2.4	111.90.140.76

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 13:03:17.380655050 CET	63843	53	192.168.2.4	1.1.1.1
Oct 28, 2024 13:03:46.461036921 CET	53	61300	162.159.36.2	192.168.2.4
Oct 28, 2024 13:03:47.108872890 CET	53	56796	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 13:03:17.380655050 CET	192.168.2.4	1.1.1.1	0x1c85	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 13:03:17.388823032 CET	1.1.1.1	192.168.2.4	0x1c85	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	52492	111.90.140.76	80	4488	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:04:17.263282061 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:04:17.263315916 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	52494	65.21.245.7	80	4488	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:04:17.294516087 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:04:17.294543982 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:
Oct 28, 2024 13:04:18.074270010 CET	505	IN	HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 28 Oct 2024 12:04:17 GMT Connection: close Content-Length: 326 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42 61 64 20 52 65 71 75 65 73 74 20 2d 20 49 6e 76 61 6c 69 64 20 56 65 72 62 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 72 65 71 75 65 73 74 20 76 65 72 62 20 69 73 20 69 6e 76 61 6c 69 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Bad Request</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Bad Request - Invalid Verb</h2><hr><p>HTTP Error 400. The request verb is invalid.</p></BODY></HTML>
Oct 28, 2024 13:04:18.074690104 CET	6	OUT	Data Raw: 00 00 10 18 Data Ascii:
Oct 28, 2024 13:04:18.074771881 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:04:18.074771881 CET	6	OUT	Data Raw: 2d 2d 0d 0a Data Ascii: --
Oct 28, 2024 13:04:18.074771881 CET	6	OUT	Data Raw: 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	52646	111.90.140.76	80	4488	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:05:17.247739077 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:05:17.247773886 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	52648	65.21.245.7	80	4488	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:05:17.279067039 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:05:17.279067039 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:
Oct 28, 2024 13:05:18.026871920 CET	505	IN	HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 28 Oct 2024 12:05:17 GMT Connection: close Content-Length: 326 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42 61 64 20 52 65 71 75 65 73 74 20 2d 20 49 6e 76 61 6c 69 64 20 56 65 72 62 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 72 65 71 75 65 73 74 20 76 65 72 62 20 69 73 20 69 6e 76 61 6c 69 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Bad Request</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Bad Request - Invalid Verb</h2><hr><p>HTTP Error 400. The request verb is invalid.</p></BODY></HTML>
Oct 28, 2024 13:05:18.027048111 CET	6	OUT	Data Raw: 00 00 10 18 Data Ascii:
Oct 28, 2024 13:05:18.027048111 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:05:18.027092934 CET	6	OUT	Data Raw: 2d 2d 0d 0a Data Ascii: --
Oct 28, 2024 13:05:18.027092934 CET	6	OUT	Data Raw: 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	08:03:00
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\0438.pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0438.pdf.exe"
Imagebase:	0x7ff665fd0000
File size:	11'654'747 bytes
MD5 hash:	2D11DBA46735AF1CB1C0A42E9564E20D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:03:01
Start date:	28/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
Imagebase:	0x7ff7583f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:03:02
Start date:	28/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:03:02
Start date:	28/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7583f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:03:03
Start date:	28/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:03:04
Start date:	28/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:03:04
Start date:	28/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2228 --field-trial-handle=1508,i,11782010648643187908,10597558926359828636,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:03:10
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Imagebase:	0x800000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000000.1814024336.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:03:10
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.1822596622.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:03:12
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:03:12
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:03:13
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:03:14
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:03:14
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	08:03:17
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	08:03:17
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00007FF665FFB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FD255C: GetDlgItem.USER32 ref: 00007FF665FD25AC
Part of subcall function 00007FF665FD255C: SetWindowTextW.USER32 ref: 00007FF665FD25C8

EndDialog.USER32 ref: 00007FF665FFB2D0
SetDlgItemTextW.USER32 ref: 00007FF665FFB320
GetMessageW.USER32 ref: 00007FF665FFB350
IsDialogMessageW.USER32 ref: 00007FF665FFB369
TranslateMessage.USER32 ref: 00007FF665FFB37B
DispatchMessageW.USER32 ref: 00007FF665FFB389
EndDialog.USER32 ref: 00007FF665FFB3D3
GetDlgItem.USER32 ref: 00007FF665FFB410
SendMessageW.USER32 ref: 00007FF665FFB431
SendMessageW.USER32 ref: 00007FF665FFB449
SetFocus.USER32 ref: 00007FF665FFB452
GetLastError.KERNEL32 ref: 00007FF665FFB634
GetLastError.KERNEL32 ref: 00007FF665FFB665
GetTickCount.KERNEL32 ref: 00007FF665FFB68B
GetLastError.KERNEL32 ref: 00007FF665FFB6F5
GetCommandLineW.KERNEL32 ref: 00007FF665FFB841
CreateFileMappingW.KERNEL32 ref: 00007FF665FFB900
MapViewOfFile.KERNEL32 ref: 00007FF665FFB923
Sleep.KERNEL32 ref: 00007FF665FFB9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF665FFB9DF
CloseHandle.KERNEL32 ref: 00007FF665FFB9E8
SetDlgItemTextW.USER32 ref: 00007FF665FFBCDE
DialogBoxParamW.USER32 ref: 00007FF665FFC0D7
EndDialog.USER32 ref: 00007FF665FFC0EF
EnableWindow.USER32 ref: 00007FF665FFC2A6
SendMessageW.USER32 ref: 00007FF665FFC2F8
ShellExecuteExW.SHELL32 ref: 00007FF665FFB95B

Part of subcall function 00007FF665FEAAE0: LoadStringW.USER32 ref: 00007FF665FEAB67
Part of subcall function 00007FF665FEAAE0: LoadStringW.USER32 ref: 00007FF665FEAB80

SendMessageW.USER32 ref: 00007FF665FFBEC3
SendDlgItemMessageW.USER32 ref: 00007FF665FFBEEA
GetDlgItem.USER32 ref: 00007FF665FFBEF8
SendMessageW.USER32 ref: 00007FF665FFBF12
GetDlgItem.USER32 ref: 00007FF665FFBF4F
SetDlgItemTextW.USER32 ref: 00007FF665FFBFEC
SetDlgItemTextW.USER32 ref: 00007FF665FFC004
SetDlgItemTextW.USER32 ref: 00007FF665FFC321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFC363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFC369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFC36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFC375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFC37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFC381
SendDlgItemMessageW.USER32 ref: 00007FF665FFC449
EndDialog.USER32 ref: 00007FF665FFC463
GetDlgItem.USER32 ref: 00007FF665FFC491
SetFocus.USER32 ref: 00007FF665FFC49A
SendDlgItemMessageW.USER32 ref: 00007FF665FFC53E
FindFirstFileW.KERNEL32 ref: 00007FF665FFC562
FindClose.KERNEL32 ref: 00007FF665FFC68A
SendDlgItemMessageW.USER32 ref: 00007FF665FFC7AF

Part of subcall function 00007FF665FD129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FD1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFCAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFCAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFCAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFCABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFCAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFCAC7

Strings

p, xrefs: 00007FF665FFB7AB
winrarsfxmappingfile.tmp, xrefs: 00007FF665FFB8E0
STARTDLG, xrefs: 00007FF665FFB1CA
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF665FFB799
REPLACEFILEDLG, xrefs: 00007FF665FFC3D3
__tmp_rar_sfx_access_check_, xrefs: 00007FF665FFB6A9
%s %s, xrefs: 00007FF665FFC6D9, 00007FF665FFC946
runas, xrefs: 00007FF665FFB7C9
@, xrefs: 00007FF665FFB7B6
LICENSEDLG, xrefs: 00007FF665FFC0C9

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 255727823-2702805183
Opcode ID: 9c70f0b35f8b818cf05a540bf998b1b6e6830b68d527d89ebab9bbb3188c6e28
Instruction ID: 1b8bf787a1dc84333f1ff268012f7b7e036a20504eef4decc27b29c3be7d3406
Opcode Fuzzy Hash: 9c70f0b35f8b818cf05a540bf998b1b6e6830b68d527d89ebab9bbb3188c6e28
Instruction Fuzzy Hash: 77D2C122A0C683C1EA20DB65E9566F96371EFC5B80F404635DA4D9FAA6DF3DED44CB00

Function 00007FF665FFCE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF665FFD5F3
SendMessageW.USER32 ref: 00007FF665FFD626
SendMessageW.USER32 ref: 00007FF665FFD655
MoveFileW.KERNEL32 ref: 00007FF665FFDB4B
MoveFileExW.KERNEL32 ref: 00007FF665FFDB69
GetTempPathW.KERNEL32 ref: 00007FF665FFDC49

Part of subcall function 00007FF665FD1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD1FFB

EndDialog.USER32 ref: 00007FF665FFDFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FFEEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFEF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FFEF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FFEF73

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF665FFD501
.lnk, xrefs: 00007FF665FFE406, 00007FF665FFE415
.tmp, xrefs: 00007FF665FFDA85
HIDE, xrefs: 00007FF665FFE9E5, 00007FF665FFE9F4
MIN, xrefs: 00007FF665FFEAE5, 00007FF665FFEAF4
MAX, xrefs: 00007FF665FFEA82, 00007FF665FFEA91
lnk, xrefs: 00007FF665FFE3CA, 00007FF665FFE3D9
<br>, xrefs: 00007FF665FFD6DA, 00007FF665FFD6E9
@set:user, xrefs: 00007FF665FFDD96, 00007FF665FFDDA5
ProgramFilesDir, xrefs: 00007FF665FFD4F0

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: 1241cfa18febdcdc9a834181efa7dfde55121a1a2cf177372a305c9907fdf718
Instruction ID: 5500ee82588eec7d1074472a5e66e0db484b61a394af71d78c9f6a1dcf1cf544
Opcode Fuzzy Hash: 1241cfa18febdcdc9a834181efa7dfde55121a1a2cf177372a305c9907fdf718
Instruction Fuzzy Hash: 7C138F72A04B82D9EB10DF64D8412EC27B1EB84B98F501635DA5D9FEE9DF38E984C740

Function 00007FF666000754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665FEDFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE018
Part of subcall function 00007FF665FEDFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE030
Part of subcall function 00007FF665FEDFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE05D

Part of subcall function 00007FF665FE62DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF665FE62F2
Part of subcall function 00007FF665FE62DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF665FE632C

Part of subcall function 00007FF665FF946C: OleInitialize.OLE32 ref: 00007FF665FF9486
Part of subcall function 00007FF665FF946C: SHGetMalloc.SHELL32 ref: 00007FF665FF94D4

GetCommandLineW.KERNEL32 ref: 00007FF66600096E
OpenFileMappingW.KERNEL32 ref: 00007FF666000A07
MapViewOfFile.KERNEL32 ref: 00007FF666000A30
UnmapViewOfFile.KERNEL32 ref: 00007FF666000A46
MapViewOfFile.KERNEL32 ref: 00007FF666000A63
UnmapViewOfFile.KERNEL32 ref: 00007FF666000ACA
CloseHandle.KERNEL32 ref: 00007FF666000AD3
SetEnvironmentVariableW.KERNEL32 ref: 00007FF666000BAD
GetLocalTime.KERNEL32 ref: 00007FF666000BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF666000C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF666000C26
GetModuleHandleW.KERNEL32 ref: 00007FF666000C2E
LoadIconW.USER32 ref: 00007FF666000C4D
DialogBoxParamW.USER32 ref: 00007FF666000CB6
Sleep.KERNEL32 ref: 00007FF666000CE6
DeleteObject.GDI32 ref: 00007FF666000D0D
DeleteObject.GDI32 ref: 00007FF666000D1F
CloseHandle.KERNEL32 ref: 00007FF666000D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF666000DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF666000DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF666000DE3

Part of subcall function 00007FF665FFFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF665FFFD43
Part of subcall function 00007FF665FFFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF665FFFDBC

Strings

sfxstime, xrefs: 00007FF666000C1F
winrarsfxmappingfile.tmp, xrefs: 00007FF6660009F9
STARTDLG, xrefs: 00007FF666000CA5
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF666000C02
sfxname, xrefs: 00007FF666000B9B

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: c329a48066309f809b0ed759e5440bf592438963a56de83793cfb2c4d91a7b0a
Instruction ID: a43a11d19583b39918f86ec14be79f4a158a338bb1d65b6a1cfc9a284571a8db
Opcode Fuzzy Hash: c329a48066309f809b0ed759e5440bf592438963a56de83793cfb2c4d91a7b0a
Instruction Fuzzy Hash: 4A128F21A18B87D1EB109F24FA412B96371FF85784F404232DA9D9FAA5DF3EE540CB80

Function 00007FF665FEA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665FEA504

Part of subcall function 00007FF665FF0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF665FF0F99

SetDlgItemTextW.USER32 ref: 00007FF665FEA573
GetWindowRect.USER32 ref: 00007FF665FEA5AD
GetClientRect.USER32 ref: 00007FF665FEA5BB
GetWindowLongPtrW.USER32 ref: 00007FF665FEA66C
GetWindowRect.USER32 ref: 00007FF665FEA6B2
SetWindowTextW.USER32 ref: 00007FF665FEA6EC
GetSystemMetrics.USER32 ref: 00007FF665FEA6F7
GetWindow.USER32 ref: 00007FF665FEA708
GetWindowRect.USER32 ref: 00007FF665FEA746
GetWindow.USER32 ref: 00007FF665FEA808

Strings

CAPTION, xrefs: 00007FF665FEA6CF
$%s:, xrefs: 00007FF665FEA4EF

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: c499bb459d3b9a63ab9d936c377f599795baeddb10ff98a93b2ef72fcb1a3161
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: 5B91D532A18682C6E7148F29F50566AA7B1FB84B84F505535EE8D9BB58CF3DEC05CF00

Function 00007FF665FF8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF665FF863D
SizeofResource.KERNEL32 ref: 00007FF665FF8659
LoadResource.KERNEL32 ref: 00007FF665FF8673
LockResource.KERNEL32 ref: 00007FF665FF8685
GlobalAlloc.KERNELBASE ref: 00007FF665FF86A6
GlobalLock.KERNEL32 ref: 00007FF665FF86BB
CreateStreamOnHGlobal.COMBASE ref: 00007FF665FF86E8
GdipAlloc.GDIPLUS ref: 00007FF665FF86FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF665FF8769
GlobalUnlock.KERNEL32 ref: 00007FF665FF878C
GlobalFree.KERNEL32 ref: 00007FF665FF8795

Strings

PNG, xrefs: 00007FF665FF862F

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: 9802bb6e0ffa07f1b3c96991a4ca2421185a0c5c377b40154625d244253eb702
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 4E411B26A09A02C2EE059F56E954379A3B0AF88F94F144435CE0D9F7A4EF7DE948CB40

Function 00007FF665FDF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1263

Strings

__tmp_reference_source_, xrefs: 00007FF665FDFCCF, 00007FF665FDFCDE

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 6220495e4172753c66c17a82b14fc6020abb9ebc9c13382217fd03717c5bed06
Instruction ID: 21de03d9b0fc2a5d59e62f3a1470833b5fe369ba987271e5ebfe5fb82ca2aa13
Opcode Fuzzy Hash: 6220495e4172753c66c17a82b14fc6020abb9ebc9c13382217fd03717c5bed06
Instruction Fuzzy Hash: C8E2C862A086C2E2EA64CB65E5427FE7775FB81B40F404132DB9D9B6A5CF7CE854CB00

Function 00007FF665FD4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD5124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD5E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD5E1C

Strings

CMT, xrefs: 00007FF665FD59B2

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 65a12c24cd07289b3c2060d3ae393729c05723a97e4fe5390825c697d67274c8
Instruction ID: 981c42f7c312dd30219fc5d694cb986e07276cd9200a95b05f2337354fb349f5
Opcode Fuzzy Hash: 65a12c24cd07289b3c2060d3ae393729c05723a97e4fe5390825c697d67274c8
Instruction Fuzzy Hash: 13E21F22B08682D6EB18DB74D5562FE63B1FB44B84F400236DA5E8B6D6DF7CE855CB00

Function 00007FF665FE40BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF665FE410B
FindFirstFileW.KERNELBASE ref: 00007FF665FE415E
GetLastError.KERNEL32 ref: 00007FF665FE41AF
FindNextFileW.KERNEL32 ref: 00007FF665FE41D7
GetLastError.KERNEL32 ref: 00007FF665FE41E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE4315

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 302a779ab95c7aaca0ba1f13af6e7309770b234b011da9b93882c2eb88fdf2be
Instruction ID: d4b5fcc6697878e61127b3cb7f95e432e44772594b88f3423965810767a6ad80
Opcode Fuzzy Hash: 302a779ab95c7aaca0ba1f13af6e7309770b234b011da9b93882c2eb88fdf2be
Instruction Fuzzy Hash: A761C462A08A86D1EE11DF64E84527D6371FB85BA4F104335EABD8BAD9DF3CD944CB00

Function 00007FF665FD5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF665FD59B2, 00007FF665FD675B

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 97f672311c4cb3c89f7e9efd8cbd1396ba699c50a267e76ee520df64f812c89d
Instruction ID: d414301b3585f9ddd6a71c5474205cfaa18cbcde58e0ab0197d66ff6a6786725
Opcode Fuzzy Hash: 97f672311c4cb3c89f7e9efd8cbd1396ba699c50a267e76ee520df64f812c89d
Instruction Fuzzy Hash: 7C42D022B08682D6EB18DB74D1522FD77B1EB51B44F400236EB5E9B6D6DF38E919CB00

Function 00007FF665FF1F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
Instruction ID: 2dc95fa3cad7d0aa2165b7ff0da1c1b7e7a3e0cf3de67ba1cc168f65e1e74a31
Opcode Fuzzy Hash: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
Instruction Fuzzy Hash: 64E1C762A08282C7EB74CF29E54A27D77A1FB84B48F054135DB8D8BB85DE3CE945CB04

Function 00007FF665FF3484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342467450e98b7b75b466d1eafea627c07b1293b3fd099ee508e1bce11d9ebd7
Instruction ID: 3b31ce672420a87a0c892243c6656acbab15fc9092cffa429892ca3b717da8ee
Opcode Fuzzy Hash: 342467450e98b7b75b466d1eafea627c07b1293b3fd099ee508e1bce11d9ebd7
Instruction Fuzzy Hash: 88B1E2A3B097C992DE58DA66D509AE973A1B784FC4F448032DE0D4BB84DF3CE955C701

Function 00007FF665FE4928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: fd8835e4233293591ea5a8582186aba0aa2126ac905c183a9a3c131a0123eb89
Instruction ID: b09494983f6a947c5480acda04e141ca4a54d7f65b2ba8249d6c7a7fa3a9d6ea
Opcode Fuzzy Hash: fd8835e4233293591ea5a8582186aba0aa2126ac905c183a9a3c131a0123eb89
Instruction Fuzzy Hash: 68410822B15692D6FA64DF21F90676A2362FBC4F94F044038DE8D8B794DE3CE8468B44

Function 00007FF665FEDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE05D
CreateFileW.KERNEL32 ref: 00007FF665FEE3F0
SetFilePointer.KERNEL32 ref: 00007FF665FEE40E
ReadFile.KERNEL32 ref: 00007FF665FEE436

Part of subcall function 00007FF665FEDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF665FEDDDF

CompareStringW.KERNELBASE ref: 00007FF665FEE559
CloseHandle.KERNEL32 ref: 00007FF665FEE4F3

Part of subcall function 00007FF665FD1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD1FFB

Part of subcall function 00007FF665FE51A4: GetVersionExW.KERNEL32 ref: 00007FF665FE51D5

Part of subcall function 00007FF665FEDFD0: LoadLibraryExW.KERNELBASE ref: 00007FF665FEDEFF
Part of subcall function 00007FF665FEDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FEDFB5
Part of subcall function 00007FF665FEDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FEDFBB
Part of subcall function 00007FF665FEDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FEDFC1
Part of subcall function 00007FF665FEDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FEDFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF665FEE7AA
ExitProcess.KERNEL32 ref: 00007FF665FEE7BB

Strings

samcli.dll, xrefs: 00007FF665FEE2C9
cabinet.dll, xrefs: 00007FF665FEE1DB
mpr.dll, xrefs: 00007FF665FEE291
apphelp.dll, xrefs: 00007FF665FEE14F
cscapi.dll, xrefs: 00007FF665FEE22F
atl.dll, xrefs: 00007FF665FEE136
SetDllDirectoryW, xrefs: 00007FF665FEE026
uxtheme.dll, xrefs: 00007FF665FEE66D
version.dll, xrefs: 00007FF665FEE07B
SSPICLI.DLL, xrefs: 00007FF665FEE09C
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF665FEE73B
dnsapi.DLL, xrefs: 00007FF665FEE259
dhcpcsvc6.dll, xrefs: 00007FF665FEE31D
msasn1.dll, xrefs: 00007FF665FEE195
devrtl.dll, xrefs: 00007FF665FEE29F
cryptui.dll, xrefs: 00007FF665FEE1A3
XmlLite.dll, xrefs: 00007FF665FEE339
iphlpapi.DLL, xrefs: 00007FF665FEE267
propsys.dll, xrefs: 00007FF665FEE2AD
samlib.dll, xrefs: 00007FF665FEE2D7
linkinfo.dll, xrefs: 00007FF665FEE347
ws2_32.dll, xrefs: 00007FF665FEE0FF
ntshrui.dll, xrefs: 00007FF665FEE12B
cryptsp.dll, xrefs: 00007FF665FEE355
aclui.dll, xrefs: 00007FF665FEE371
wintrust.dll, xrefs: 00007FF665FEE1B1
psapi.dll, xrefs: 00007FF665FEE115
slc.dll, xrefs: 00007FF665FEE23D
usp10.dll, xrefs: 00007FF665FEE0DE
shdocvw.dll, xrefs: 00007FF665FEE179
RpcRtRemote.dll, xrefs: 00007FF665FEE363
peerdist.dll, xrefs: 00007FF665FEE38D
dfscli.dll, xrefs: 00007FF665FEE2F3
WINNSI.DLL, xrefs: 00007FF665FEE275
netutils.dll, xrefs: 00007FF665FEE283
clbcatq.dll, xrefs: 00007FF665FEE0E9
kernel32, xrefs: 00007FF665FEE011
ws2help.dll, xrefs: 00007FF665FEE10A
setupapi.dll, xrefs: 00007FF665FEE141
ieframe.dll, xrefs: 00007FF665FEE120
lpk.dll, xrefs: 00007FF665FEE0D3
dsrole.dll, xrefs: 00007FF665FEE37F
SetDefaultDllDirectories, xrefs: 00007FF665FEE053
cryptbase.dll, xrefs: 00007FF665FEE0C8
dhcpcsvc.dll, xrefs: 00007FF665FEE32B
mlang.dll, xrefs: 00007FF665FEE2BB
userenv.dll, xrefs: 00007FF665FEE15D
rasadhlp.dll, xrefs: 00007FF665FEE30F
wkscli.dll, xrefs: 00007FF665FEE2E5
crypt32.dll, xrefs: 00007FF665FEE187
netapi32.dll, xrefs: 00007FF665FEE16B
sfc_os.dll, xrefs: 00007FF665FEE091
oleaccrc.dll, xrefs: 00007FF665FEE1E9
secur32.dll, xrefs: 00007FF665FEE1CD
profapi.dll, xrefs: 00007FF665FEE205
UXTheme.dll, xrefs: 00007FF665FEE0B2
shell32.dll, xrefs: 00007FF665FEE1BF
comres.dll, xrefs: 00007FF665FEE0F4
imageres.dll, xrefs: 00007FF665FEE24B
browcli.dll, xrefs: 00007FF665FEE301
ntmarta.dll, xrefs: 00007FF665FEE1F7
rsaenh.dll, xrefs: 00007FF665FEE0A7
dwmapi.dll, xrefs: 00007FF665FEE0BD, 00007FF665FEE661
WindowsCodecs.dll, xrefs: 00007FF665FEE213
DXGIDebug.dll, xrefs: 00007FF665FEE086, 00007FF665FEE5B6
srvcli.dll, xrefs: 00007FF665FEE221

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
Instruction ID: dd227d0e4e4a741eba6e72f959fe6fb4569e022d90fbf53d36fa74b62bd94c26
Opcode Fuzzy Hash: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
Instruction Fuzzy Hash: C7320431A09B82E9EB219FA0F9411E973B4FB44758F500236DA4D8F7A5EF39E645CB40

Function 00007FF665FE98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FE8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FE8F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665FE9F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FEA42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FEA435

Part of subcall function 00007FF665FF0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF665FF0B44), ref: 00007FF665FF0BE9

Strings

*messages***, xrefs: 00007FF665FE9C04
DIRECTION, xrefs: 00007FF665FE9DE5
$%s:, xrefs: 00007FF665FE9F50
, xrefs: 00007FF665FE9DF9
STRINGS, xrefs: 00007FF665FE9DC1
RTL, xrefs: 00007FF665FE9F2E
@%s:, xrefs: 00007FF665FE9F57
*messages***, xrefs: 00007FF665FE9BC6
DIALOG, xrefs: 00007FF665FE9DCD
MENU, xrefs: 00007FF665FE9DD9
,, xrefs: 00007FF665FE9FAA

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: f8d2576f2d3b58c8de45b6f33364cb60e7b4664a3fbb63d368bfc9699b226bdf
Instruction ID: 621684a0a1f2daac954147e60198ea3a7d0444bca5715cf5a719ca91eeb5cd71
Opcode Fuzzy Hash: f8d2576f2d3b58c8de45b6f33364cb60e7b4664a3fbb63d368bfc9699b226bdf
Instruction Fuzzy Hash: 9C62BF22A196C2E5EB10DF24D54A2BD63B5FB40B88F805132DA4D8F6D5EF3DE984CB50

Function 00007FF666001900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF666001558: DloadProtectSection.DELAYIMP ref: 00007FF6660015C9

RaiseException.KERNEL32 ref: 00007FF6660019A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF666001993

Part of subcall function 00007FF666001868: DloadProtectSection.DELAYIMP ref: 00007FF6660018C7

LoadLibraryExA.KERNELBASE ref: 00007FF666001A46
GetLastError.KERNEL32 ref: 00007FF666001A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF666001A86
RaiseException.KERNEL32 ref: 00007FF666001A9A

Strings

H, xrefs: 00007FF666001974

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 11a5147db15f80f687a891f14a8a5715794893608c713381f841c1c2cb46dc4a
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: EE915922A05B12DAEB10CFA5EA842A873B5FB08B98F444135DE0D5F754EF39E545CB40

Function 00007FF665FFF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF665FFF747
ShowWindow.USER32 ref: 00007FF665FFF786
GetExitCodeProcess.KERNEL32 ref: 00007FF665FFF7BD
CloseHandle.KERNEL32 ref: 00007FF665FFF7E7
ShowWindow.USER32 ref: 00007FF665FFF83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFF8FB

Strings

p, xrefs: 00007FF665FFF529
.exe, xrefs: 00007FF665FFF7F2
.inf, xrefs: 00007FF665FFF675
Install, xrefs: 00007FF665FFF684

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: f5c8b309920baf1e38cfe499d4066692b9784065f97d1b9ba7782783299fb154
Instruction ID: 219bc773988c3f062a625c4c02044fa2c0af307ff05c7ed49150d22663f2993e
Opcode Fuzzy Hash: f5c8b309920baf1e38cfe499d4066692b9784065f97d1b9ba7782783299fb154
Instruction Fuzzy Hash: B7C18C22F18602D5FA40CB65EA8127963B1AFC9B84F044435CA4E9FBA5DF3DEC95CB04

Function 00007FF665FFF0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665FFAE1C: PeekMessageW.USER32 ref: 00007FF665FFAE32
Part of subcall function 00007FF665FFAE1C: GetMessageW.USER32 ref: 00007FF665FFAE49
Part of subcall function 00007FF665FFAE1C: IsDialogMessageW.USER32 ref: 00007FF665FFAE60
Part of subcall function 00007FF665FFAE1C: TranslateMessage.USER32 ref: 00007FF665FFAE6F
Part of subcall function 00007FF665FFAE1C: DispatchMessageW.USER32 ref: 00007FF665FFAE7A

GetDlgItem.USER32 ref: 00007FF665FFF0E3
ShowWindow.USER32 ref: 00007FF665FFF109
SendMessageW.USER32 ref: 00007FF665FFF11E
SendMessageW.USER32 ref: 00007FF665FFF136
SendMessageW.USER32 ref: 00007FF665FFF157
SendMessageW.USER32 ref: 00007FF665FFF173
SendMessageW.USER32 ref: 00007FF665FFF1B6
SendMessageW.USER32 ref: 00007FF665FFF1D4
SendMessageW.USER32 ref: 00007FF665FFF1E8
SendMessageW.USER32 ref: 00007FF665FFF212
SendMessageW.USER32 ref: 00007FF665FFF22A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: e036430301841d8381edffb8600dd752260cd91ebdb3ba22c6f6c3a2bad443c1
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: 7841A131B14642C6F7109F61E914BAA2370EB89B99F441136DD0A9FBA5CE3EEC45CB44

Function 00007FF665FDEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF572

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 1f4c06cac65006907160b15d3882166ad00f23b738fd29126be59cee5bd80893
Instruction ID: 3dbf52246cfc00e5d7e977926872f5d8c2630ebcedfb10d9546bf57c393e3dc3
Opcode Fuzzy Hash: 1f4c06cac65006907160b15d3882166ad00f23b738fd29126be59cee5bd80893
Instruction Fuzzy Hash: 3B12A062F08B42C5EA10CB65D4466BD6371EB45BA8F400332DE5D9BAD9DF3CE989CB40

Function 00007FF665FE24C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF665FE259B
GetLastError.KERNEL32 ref: 00007FF665FE25AE
CreateFileW.KERNEL32 ref: 00007FF665FE260E
GetLastError.KERNEL32 ref: 00007FF665FE2617
SetFileTime.KERNEL32 ref: 00007FF665FE26C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE2736

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: 33f6b48159d5b7d750ef9f2960fa93fa1ced6f4fdcb3bbf877704cc21e72eec3
Instruction ID: d886404ffa54d7487d388855f3e0f3efa4591c893e092f30788eb963fc2ee4f8
Opcode Fuzzy Hash: 33f6b48159d5b7d750ef9f2960fa93fa1ced6f4fdcb3bbf877704cc21e72eec3
Instruction Fuzzy Hash: FB61E362A18682D5E7208B29F90136E67B1FB85BACF100334DFA94BAD4DF3ED5558B40

Function 00007FF665FFB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF665FFB02A
GetObjectW.GDI32 ref: 00007FF665FFB05B
DeleteObject.GDI32 ref: 00007FF665FFB095
DeleteObject.GDI32 ref: 00007FF665FFB0C5

Part of subcall function 00007FF665FF8624: FindResourceW.KERNEL32 ref: 00007FF665FF863D
Part of subcall function 00007FF665FF8624: SizeofResource.KERNEL32 ref: 00007FF665FF8659
Part of subcall function 00007FF665FF8624: LoadResource.KERNEL32 ref: 00007FF665FF8673
Part of subcall function 00007FF665FF8624: LockResource.KERNEL32 ref: 00007FF665FF8685
Part of subcall function 00007FF665FF8624: GlobalAlloc.KERNELBASE ref: 00007FF665FF86A6
Part of subcall function 00007FF665FF8624: GlobalLock.KERNEL32 ref: 00007FF665FF86BB
Part of subcall function 00007FF665FF8624: CreateStreamOnHGlobal.COMBASE ref: 00007FF665FF86E8
Part of subcall function 00007FF665FF8624: GdipAlloc.GDIPLUS ref: 00007FF665FF86FE
Part of subcall function 00007FF665FF8624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF665FF8769
Part of subcall function 00007FF665FF8624: GlobalUnlock.KERNEL32 ref: 00007FF665FF878C
Part of subcall function 00007FF665FF8624: GlobalFree.KERNEL32 ref: 00007FF665FF8795

Strings

], xrefs: 00007FF665FFB063

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: b47ffc983838df8259e8ffc8c431cd00b40d022c3f2056c9a4e73e936292373b
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: FE114F21B09683C2EA649B22E65627953B1AFC8FC0F080435D95D8FF99DE3DEC05CE00

Function 00007FF665FFAE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF665FFAE32
GetMessageW.USER32 ref: 00007FF665FFAE49
IsDialogMessageW.USER32 ref: 00007FF665FFAE60
TranslateMessage.USER32 ref: 00007FF665FFAE6F
DispatchMessageW.USER32 ref: 00007FF665FFAE7A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 41d3c1a5f3f146ca29dd8ca820cc171ba9fec69c9ee29ed858ea3145174f7a68
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: E4F0C935A38583C2EB509B21F995F762371BFD0B06F805532E94E9A854DF3DD908CE04

Function 00007FF665FF91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF665FF9211
SHAutoComplete.SHLWAPI ref: 00007FF665FF9255

Part of subcall function 00007FF665FF13C4: CompareStringW.KERNEL32 ref: 00007FF665FF13E3

FindWindowExW.USER32 ref: 00007FF665FF923F

Strings

EDIT, xrefs: 00007FF665FF921B, 00007FF665FF9233

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: f78f9e24df684a90cd66a5909e0fab3d65ac18791cc8190b6cdeb31d4185a65e
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 54018171B18A83C1FA209B21F9117FA63B0AF98B44F440131C94D8FA95EE3DE94DCE40

Function 00007FF665FE2CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF665FE8C9A), ref: 00007FF665FE2D22
WriteFile.KERNEL32 ref: 00007FF665FE2D6C
WriteFile.KERNELBASE ref: 00007FF665FE2D9A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 0e24b38da4911ce84cd1995b05bc76a48cdbb6549566894b7731c3bd6f5b2069
Instruction ID: b87534eb534045873ba62fc76fae29ae2f2d68d5fe593ec1fe77468a03b8851c
Opcode Fuzzy Hash: 0e24b38da4911ce84cd1995b05bc76a48cdbb6549566894b7731c3bd6f5b2069
Instruction Fuzzy Hash: FF51E862A19583E2EA60CB65E94577A6370FF45B94F440131DA0D8F694EF3EE985CB00

Function 00007FF6660003E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32 ref: 00007FF666000556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6660005C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6660005C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6660005CD

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: f8a7328c73512b25e0e7f4217039bd58d5acfa9dc3efb5ee78f1a139c28ede0e
Instruction ID: c782d3fcd909a946cfbac71e16fa60f7b7b29cbda61892f97ecbcdb6b5a434f1
Opcode Fuzzy Hash: f8a7328c73512b25e0e7f4217039bd58d5acfa9dc3efb5ee78f1a139c28ede0e
Instruction Fuzzy Hash: D1518D62F28A52C4FB009FA5E9452AD2372AF45BA4F400236DA1D9FBD6DF6DE540C780

Function 00007FF666002D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF666002D7B

Part of subcall function 00007FF6660027FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF66600281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF666002D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF666002DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF666002E51

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 2c0f3c6e3c52e5c6a8584a9faaa4896d3f77584fa06f5bf55f5494be6e2baa6b
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 81314720A4C643D1FA59AF64B7113BA22B1AF44384F440435EA0ECF6D3EE2EB9448AD0

Function 00007FF665FE3684 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF665FE309D), ref: 00007FF665FE36CE
CreateDirectoryW.KERNEL32 ref: 00007FF665FE3733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF665FE309D), ref: 00007FF665FE3791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE37CE

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: c692564d5d1c2d87129f870fd8c4aa882645ff23391cbc0b7309d447f995f5b9
Instruction ID: aacb9e58f9537567b1b0c11427937bacd0fc1ec9078684be4abe65265eeb8507
Opcode Fuzzy Hash: c692564d5d1c2d87129f870fd8c4aa882645ff23391cbc0b7309d447f995f5b9
Instruction Fuzzy Hash: 4331FA21A0C6C2D1EA609B25E54A1796371FF89B90F500631EE8DCF6E4DF3CF9458A00

Function 00007FF665FE2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF665FE2927,?,00100000,?,00000001,00000000,00000000,?,00007FF665FE14C1), ref: 00007FF665FE2348
ReadFile.KERNELBASE ref: 00007FF665FE2367
GetLastError.KERNEL32 ref: 00007FF665FE239B
GetLastError.KERNEL32 ref: 00007FF665FE23BA

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: 18271fe11484e78a382cbf35cd1ded91738d524358246a372e9004de666a1949
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 3A218021E4C583D9EA609B51E801339A3B0FB45F98F144530DA5D8F698EF7EDD858F11

Function 00007FF665FEE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FEECD8: ResetEvent.KERNEL32 ref: 00007FF665FEECF1
Part of subcall function 00007FF665FEECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF665FEED07

ReleaseSemaphore.KERNEL32 ref: 00007FF665FEE974
CloseHandle.KERNELBASE ref: 00007FF665FEE993
DeleteCriticalSection.KERNEL32 ref: 00007FF665FEE9AA
CloseHandle.KERNEL32 ref: 00007FF665FEE9B7

Part of subcall function 00007FF665FEEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF665FEE95F,?,?,?,00007FF665FE463A,?,?,?), ref: 00007FF665FEEA63
Part of subcall function 00007FF665FEEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF665FEE95F,?,?,?,00007FF665FE463A,?,?,?), ref: 00007FF665FEEA6E

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 603c0fcc5c32db15a1fcfdc042c63e3a1abfed31093b6386b8ec058bd1642306
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: C3014033A15A81E2E649DB61F64526DB371FB84BC0F004031DB6D4B665CF39E5B4CB40

Function 00007FF665FEEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF665FEEAE0
SetThreadPriority.KERNEL32 ref: 00007FF665FEEB36

Strings

CreateThread failed, xrefs: 00007FF665FEEAEE

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 849ce5bb1668c3fb3963c50e5dedbdba420b2ffab803f00f43a26ae20c3f77f9
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: E3116031A09A82D1E700DF10F942269B370FB84B88F544636DA4E8F669DF3DE945CF40

Function 00007FF665FF946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FEDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF665FEDDDF

OleInitialize.OLE32 ref: 00007FF665FF9486
SHGetMalloc.SHELL32 ref: 00007FF665FF94D4

Strings

riched20.dll, xrefs: 00007FF665FF9475

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: 2b68afed9cf1e3e2d3d908fef40f8d8e197aab2c8af4b68102266bb90b38014c
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: 00F0AF71618A82C2EB018F20F4046AAB3B0FB88714F400136EA8D8EB64DF7DE94CCF00

Function 00007FF665FF095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FF853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF665FF856C

Part of subcall function 00007FF665FEAAE0: LoadStringW.USER32 ref: 00007FF665FEAB67
Part of subcall function 00007FF665FEAAE0: LoadStringW.USER32 ref: 00007FF665FEAB80

Part of subcall function 00007FF665FD1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD1FFB

Part of subcall function 00007FF665FD129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FD1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6660001BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6660001C1
SendDlgItemMessageW.USER32 ref: 00007FF6660001F2

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: 5e1efcc2b385ec2e27c5c3e9b0bda95dd4af1554cfa52ada46e12f5842fe570c
Instruction ID: 459c1ff6ff98d66c72049d56f475b98d7bc365dc9a7de55f32f25a4cef8305f9
Opcode Fuzzy Hash: 5e1efcc2b385ec2e27c5c3e9b0bda95dd4af1554cfa52ada46e12f5842fe570c
Instruction Fuzzy Hash: CE51B162F18642D6FB109FA1E4562FD2372AB85B88F404235DA4D9F7D6DE3DE940C780

Function 00007FF665FE2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF665FE21CF
CreateFileW.KERNEL32 ref: 00007FF665FE223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE22D8

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: c0a24921bb432fc979f0151b166e22e2d4d2ab91ccee52ff8beeeb5fa3cca71f
Instruction ID: ef874a2f89c3fb7f1a06f4d2e4622d161fc2616a73d57359b2ea87c2ce047024
Opcode Fuzzy Hash: c0a24921bb432fc979f0151b166e22e2d4d2ab91ccee52ff8beeeb5fa3cca71f
Instruction Fuzzy Hash: 2041D072A08786D2EB248B15E84526D63B1FB85BB4F105334DFAD4BAD5DF3DE9908B00

Function 00007FF665FD23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF665FD243E
GetWindowTextW.USER32 ref: 00007FF665FD2476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD2505

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 41410b057bf1bfc832f9111b5635005432e9644e209f963b7c0d07f0c95fee55
Instruction ID: 54da17babd421b1041cc842ac0cc4f1b5d413eb2ed7316e3a2b2b27aaca9fc86
Opcode Fuzzy Hash: 41410b057bf1bfc832f9111b5635005432e9644e209f963b7c0d07f0c95fee55
Instruction Fuzzy Hash: D821AF72A28B8281EA108B65F94057AB374FB89BD0F144331EF9D4BB95CF3DE5808B40

Function 00007FF665FF1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665FF205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665FF2077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665FF2093

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
Instruction ID: 71341ccc8182b751e2a1709f9c7b20312327f9f40ff1323704fcbe04d83ee72f
Opcode Fuzzy Hash: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
Instruction Fuzzy Hash: DD318463A0C686D1FB249B14E9453B963B0FB90F84F544031E24D9F9A9DF7EE945CB01

Function 00007FF665FE3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF665FF07E1), ref: 00007FF665FE3D5E
SetFileAttributesW.KERNEL32 ref: 00007FF665FE3DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE3E1A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: a1f7dc1dbaba3642fc9690cddce522cfa30acb7a6fd15afbd6a0ae69969149b0
Instruction ID: d969c8ae875923cccefc9de6d00b32af7f6c9df162608d7f9868050b3cf8dea1
Opcode Fuzzy Hash: a1f7dc1dbaba3642fc9690cddce522cfa30acb7a6fd15afbd6a0ae69969149b0
Instruction Fuzzy Hash: E321D622A18685D1EA208F25F4462696371FF88B94F104230EA9D8B6E9DF3CE940CE40

Function 00007FF665FE31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF665FF0822), ref: 00007FF665FE31E7
DeleteFileW.KERNEL32 ref: 00007FF665FE3237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE32A1

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 69d2c27007a20e930861445e234d5951a1cf09c7b93575dd70fe51422861bc3e
Instruction ID: 2ef04d1255a6cd12068d3891fa4475b6b53a79a43637a5e7a8890aac399050b9
Opcode Fuzzy Hash: 69d2c27007a20e930861445e234d5951a1cf09c7b93575dd70fe51422861bc3e
Instruction Fuzzy Hash: 41219032A187C1D1EA108B25F84522A6370FB89B94F501230EADE8BAE9DF3DE540CE40

Function 00007FF665FE32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF665FEE5B1,?,?,?,00000000,?), ref: 00007FF665FE32E7
GetFileAttributesW.KERNELBASE ref: 00007FF665FE3334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE3399

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 07782a0afab47d92a22bff3076416a7edfcd43da74ab10a948eda14518e6746e
Instruction ID: d0059feff49f62c9086de067798f04e9444a389baf39152a1d55c61413388cac
Opcode Fuzzy Hash: 07782a0afab47d92a22bff3076416a7edfcd43da74ab10a948eda14518e6746e
Instruction Fuzzy Hash: 6E218832A187C1D1EA108B19F54512A6371FBC9BA4F500331EA9D8B7E5DF3DE940CB40

Function 00007FF66600BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF66600BF48), ref: 00007FF66600BF8C
TerminateProcess.KERNEL32(?,?,?,00007FF66600BF48), ref: 00007FF66600BF97
ExitProcess.KERNEL32 ref: 00007FF66600BFA6

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 9ebd2239ff41b78dff44ab917444e373084bdbfe5ac5a26a2f2edba30751443c
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 4BE04F28B04305C6EB546F71BA953792376AF88745F104438D80E8F396CF3FA4098F80

Function 00007FF665FDF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDF89B

Part of subcall function 00007FF665FE3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF665FF0811), ref: 00007FF665FE3EFD

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: ff05a0ad3b9c4f4235e1478b2c69edca0b6840efc482a2fd304b53339564797e
Instruction ID: 1fa421548ce661964818c951df20d2142649e6f3d3e0998cf2ee1c41bb22af66
Opcode Fuzzy Hash: ff05a0ad3b9c4f4235e1478b2c69edca0b6840efc482a2fd304b53339564797e
Instruction Fuzzy Hash: 4D91B273A18781D0EB10DF64D4455AD6371FB84B98F404231EA4C8BAE9DF7CD985CB40

Function 00007FF665FD3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD3AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD3AB9

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: dfb5e971954e8ecfa9eab7821141cd8d5f8eac190b9055cad7bdf59bd5ea8a56
Instruction ID: 95f2bffd940ee917230606b62e747644bf5077ad80214454978c856d3b05d562
Opcode Fuzzy Hash: dfb5e971954e8ecfa9eab7821141cd8d5f8eac190b9055cad7bdf59bd5ea8a56
Instruction Fuzzy Hash: 3D41A062F14652C5FB00DBB1E4426AD2371AF45FD8F145235EE1DAFADADE3CA8828640

Function 00007FF665FE2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF665FE274D), ref: 00007FF665FE28A9
GetLastError.KERNEL32(?,00007FF665FE274D), ref: 00007FF665FE28B8

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: 4a5b5f3ccedd5c896731fc22caa55cf1dda2d66a77fc6c0949cac2679d1bb4f8
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: BE31A632B19A97E2EA644B2ADD416766370AF44FD4F140132DE5D8F7A0EF3EDE418A40

Function 00007FF665FD22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF665FD22F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD23F0

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 8d40ccc84b580f33f3dafee36447434fcdf79cb76bf08fc935a239d44bb79c76
Instruction ID: eb285124fd14b3d29c97e1a60b1218af2507e1dd2dfe7a4d7698293ff5e81a78
Opcode Fuzzy Hash: 8d40ccc84b580f33f3dafee36447434fcdf79cb76bf08fc935a239d44bb79c76
Instruction Fuzzy Hash: 8331B022A18786C2EA149F55F9453AEB370EB84B94F444331EB9C4FB95DF3DE9408B40

Function 00007FF665FE2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF665FE2AFE
SetFileTime.KERNELBASE ref: 00007FF665FE2B9B

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: a2c5c9106565d5952d429817168e6a85a331082bd9e05be179d1e746e0a99173
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 0B21A322E097C7F5EA628E51E8067B657B1AF41B98F154031DE4C4B295FE3EDD46CA00

Function 00007FF665FEAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF665FEAB67
LoadStringW.USER32 ref: 00007FF665FEAB80

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: db6e598f26289f54b5b9441fdfb78b57445db8cc502d25d1ce157a258ae78e96
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 60117970B09A82C6EA008F16FA4486877B1BB88FC1F544536CE4DEB721DE7DE9418B84

Function 00007FF665FE2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF665FE2C11
GetLastError.KERNEL32 ref: 00007FF665FE2C1E

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 232eae8a800e2ca537c9d65ed51bb33f3b2939ac5ef7670888d462b280034b40
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: 61116321A18686D1EB509B25EC426696370EB44FB8F544731DA6D9B2D4DF3ED982CB00

Function 00007FF665FD255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FEA4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665FEA504
Part of subcall function 00007FF665FEA4AC: SetDlgItemTextW.USER32 ref: 00007FF665FEA573
Part of subcall function 00007FF665FEA4AC: GetWindowRect.USER32 ref: 00007FF665FEA5AD
Part of subcall function 00007FF665FEA4AC: GetClientRect.USER32 ref: 00007FF665FEA5BB

GetDlgItem.USER32 ref: 00007FF665FD25AC
SetWindowTextW.USER32 ref: 00007FF665FD25C8

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: 15d5af056c5a2743c4323842a942d381e0a244ba8e41e4b1a17e4cd5402cb51d
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: 43015214A0D28BC1FE555751F959BB957B29F85B84F080235D84D8F299EE3EEC848B40

Function 00007FF665FEEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF665FEEBAD,?,?,?,?,00007FF665FE5752,?,?,?,00007FF665FE56DE), ref: 00007FF665FEEB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF665FEEB6F

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: c43748049bed43453b533486e67eb1c73d1b45e5782327d5bd2463fe8db285dd
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: 55E02B61F24586D2DF498F55E4514E9B3B2BFC8F40B848035D60BCB614DE3DE6498F00

Function 00007FF6660021D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF666002200

Part of subcall function 00007FF666002F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF666002F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF666002206

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
Instruction ID: 52961b33c3afb700bf4fe8ba411ecc51400fa40fc01d66f5d26772c29d6c285e
Opcode Fuzzy Hash: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
Instruction Fuzzy Hash: DCE0EC60E1D107C2FD582AA63A661B401744F29770E181730DE3E8D2C3EE1FA8918990

Function 00007FF66600D90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF66600D922
GetLastError.KERNEL32 ref: 00007FF66600D934

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 4e2b85efde8f04ff851a54aafa31056d3f122bf01e22d6496085f5f120b009dc
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 5CE08C60E09103C2FF08AFF2BA155B863B09F94B55B040030C90DCE3D2EE3EA6828E60

Function 00007FF665FD33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD388C

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 33f84bb692d5293623e3afab48e0196588e748b5593b514a14a7011791a52734
Instruction ID: 51b73c158864559998518309c228c80c8a0001f4d99b1f13c8a2db367401903e
Opcode Fuzzy Hash: 33f84bb692d5293623e3afab48e0196588e748b5593b514a14a7011791a52734
Instruction Fuzzy Hash: F2D18E62B08682D6EB688B25D6452B9B7B1FB05FC4F040635CB5D8F7E5CF39E9618B00

Function 00007FF665FE5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE551B

Part of subcall function 00007FF665FF13F4: CompareStringW.KERNEL32 ref: 00007FF665FF145A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: d592eabcbe9af83a373b8b16b8cc449c2e49e9c4d9704c8b20a1f27e4dd7bd8a
Instruction ID: bd765a60d1de815fe42952836673bb1bd90803d534e63b23ad751204452a451e
Opcode Fuzzy Hash: d592eabcbe9af83a373b8b16b8cc449c2e49e9c4d9704c8b20a1f27e4dd7bd8a
Instruction Fuzzy Hash: F661E211A0C6C7D5EA649A15E5262BE63B2AF80FD4F144131EE4DCFAC6EE7CEC418A10

Function 00007FF665FF1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FEE948: ReleaseSemaphore.KERNEL32 ref: 00007FF665FEE974
Part of subcall function 00007FF665FEE948: CloseHandle.KERNELBASE ref: 00007FF665FEE993
Part of subcall function 00007FF665FEE948: DeleteCriticalSection.KERNEL32 ref: 00007FF665FEE9AA
Part of subcall function 00007FF665FEE948: CloseHandle.KERNEL32 ref: 00007FF665FEE9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF1ACB

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 385a02acb57b8c59120be0c34ea2f347caf4614f8b231966af7ef80d9636563d
Instruction ID: fe18eb7c10a040eed5a53c5f122f6bd986c44e8a85b8d8ee03264f85f465666e
Opcode Fuzzy Hash: 385a02acb57b8c59120be0c34ea2f347caf4614f8b231966af7ef80d9636563d
Instruction Fuzzy Hash: 98618CA2B15A85E2EE08DF65D6950BC7375FB80F90B544236D72D8FA82CF39E860C740

Function 00007FF665FDEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDEEB8

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: af1c5978b98fda9a8b2c18bb3354693c366be56127f8703ff8eb31aec807914d
Instruction ID: e8c3985cd2a078d9b88cefe25f992ad43a1b68953c4f6bf37fa76ea7ec57abba
Opcode Fuzzy Hash: af1c5978b98fda9a8b2c18bb3354693c366be56127f8703ff8eb31aec807914d
Instruction Fuzzy Hash: 9951A062A08682D0EA149F25E8463A97771FB85FC4F440236EF5D8F396DE3DE885CB40

Function 00007FF665FDE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FE3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF665FF0811), ref: 00007FF665FE3EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDE993

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 1ed87b38f53b3cf50e1c2200cac218cce737f4e527dde5fbd83d50be022e59e1
Instruction ID: 9916ec4fe1927ad83af4780a98e8e35925d7888a562d90ca2480b433a2a06ac1
Opcode Fuzzy Hash: 1ed87b38f53b3cf50e1c2200cac218cce737f4e527dde5fbd83d50be022e59e1
Instruction Fuzzy Hash: 4D514B22A09686C1FB609F24E48636D7371FB84F84F440236EB8D9B6A5DF3DE841CB51

Function 00007FF665FE1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE187D

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8f5a58c5ca3b50e021cd7d957f77a4d85bae32fcfe51cc18db3578f951f03667
Instruction ID: d56253eadd460b310d2175107779bd5ed3ba023bc2c7c68ef228df2c1d8891f0
Opcode Fuzzy Hash: 8f5a58c5ca3b50e021cd7d957f77a4d85bae32fcfe51cc18db3578f951f03667
Instruction Fuzzy Hash: 8841F762B18AC192EA149B17E64137AA361FB84FC0F448536EE5C8FF4ADF3CD9918740

Function 00007FF665FE2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE30C8

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: e2b4454f69462049619ab9b1c97d5eb6f0ad1ff01e3f8e4e7caa5ef109cfce74
Instruction ID: c30862d5a3af6249085df08278bd8be95266c939eddd76388b51c7f8cfb9029e
Opcode Fuzzy Hash: e2b4454f69462049619ab9b1c97d5eb6f0ad1ff01e3f8e4e7caa5ef109cfce74
Instruction Fuzzy Hash: 4141D262A08B86D0EF159F29E54A3792371EB85FD8F141135EB4D8B6E9DF3DE8408B40

Function 00007FF66600BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF66600BE20

Part of subcall function 00007FF66600BFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF66600BFD0
Part of subcall function 00007FF66600BFB0: GetProcAddress.KERNEL32 ref: 00007FF66600BFE6
Part of subcall function 00007FF66600BFB0: FreeLibrary.KERNEL32 ref: 00007FF66600C00B

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: d98c64526714b9d2a11bd1bb4d4e1a38b74026eeb9c60b608dd1c5d87afeab4a
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 0541AE22A18643D2FB249F15BA5017863B1AFA4B84F544476DA0DDF6A1EF7FE8418F80

Function 00007FF665FD129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FD1396

Part of subcall function 00007FF665FD1F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665FD1F89

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
Instruction ID: ba2087fad38eed9a7317072ac4bee1fa9fe50a6472ff7a7e8b697b8be9b1939c
Opcode Fuzzy Hash: 8615e64c65e08c4765cb9fe696173ca1d24e70e0804716bd186f62c3c2783a0a
Instruction Fuzzy Hash: B4217C22A48651C5EA149F92E5016797360AB05FF0F680B30DE7E8FBD1DE7DE8518B44

Function 00007FF66601124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666011280

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: bc2c74df57107eca904a9f2105da2f4951812b4d5ac7cda545935fe89f493fd2
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 13117932A0C683C2E6149F90B640679B2B4FB51388F540174EA8DDF696DF2EEC208F44

Function 00007FF665FFFC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FFF0A4: GetDlgItem.USER32 ref: 00007FF665FFF0E3
Part of subcall function 00007FF665FFF0A4: ShowWindow.USER32 ref: 00007FF665FFF109
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF11E
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF136
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF157
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF173
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF1B6
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF1D4
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF1E8
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF212
Part of subcall function 00007FF665FFF0A4: SendMessageW.USER32 ref: 00007FF665FFF22A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFFD03

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1587882848-0
Opcode ID: 4e31503daed93d9188896172121f8db9e22501b53953b377ed489f9acb82b46e
Instruction ID: 60cf422eddb4b58a387741c7b5a486a8af8000a4d906c96f56cfe13909cad614
Opcode Fuzzy Hash: 4e31503daed93d9188896172121f8db9e22501b53953b377ed489f9acb82b46e
Instruction Fuzzy Hash: 7C01C862A28685C1ED149B64E44637D6331EFC9B94F500331EA9C8FBDADE3CE540CB04

Function 00007FF665FD3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD3B6C

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 58579bce4bc1021bb98a03ef504395245509186ce5efb4717343b6b5f18682a3
Instruction ID: d92c5a9c07246c29efd9c669990d3f482a97ac7d69b772e3ebbb2693512b3064
Opcode Fuzzy Hash: 58579bce4bc1021bb98a03ef504395245509186ce5efb4717343b6b5f18682a3
Instruction Fuzzy Hash: 5A01C462E18685C1EA119B28E4422297371FF89B94F405331EB9C4FAE6DF3DE4408B04

Function 00007FF666001558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF666001604: GetModuleHandleW.KERNEL32(?,?,?,00007FF666001573,?,?,?,00007FF66600192A), ref: 00007FF66600162B

DloadProtectSection.DELAYIMP ref: 00007FF6660015C9

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: ebb0b5270ff0deda773c6dd8df147ee55c4406ef9eaa98367868017d4121b801
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: FE11BA65D08607D1FB619F85BB457702370AF1834EF1400B4C90EDF2A1EF2EA9958F81

Function 00007FF665FE3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FE40BC: FindFirstFileW.KERNELBASE ref: 00007FF665FE410B
Part of subcall function 00007FF665FE40BC: FindFirstFileW.KERNELBASE ref: 00007FF665FE415E
Part of subcall function 00007FF665FE40BC: GetLastError.KERNEL32 ref: 00007FF665FE41AF

FindClose.KERNELBASE(?,?,00000000,00007FF665FF0811), ref: 00007FF665FE3EFD

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 8b3ced611ac6a2142de1a88eb4ffff346d25916b309405a9ed2b05994d69eaa5
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 61F0FF629082C1D5EA549FB4E10A27833709B4AFB4F181338EA3D4B2D7CE38EC848F41

Function 00007FF665FE273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF665FE2755

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
Instruction ID: 121084dae16dbbcb356c0fe22f0ff3499ee87dd2b7a7cd856c0967959ff9789a
Opcode Fuzzy Hash: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
Instruction Fuzzy Hash: 86E0CD11B10555C1EF249B76DC426345330EF4CF85B441030CE0D4F321CE3AC8818E00

Function 00007FF665FE2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF665FE24A2

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 93a1db98e2ca5f2fad86ae0cfb4cc893868cb07d37d120a23a2151266f0315e6
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: C6D01311D05441D2DD505775DC5203C23605F51735F740730D53DC75D2DE2E95955711

Function 00007FF665FE7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF665FE7FD2

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 57d60166868c89a5b9ba3f1df1b3191a2ad3659218f7788080fb831ce133992f
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 2EC08C20F0A582C2DA085B26C8CA11813B4BB40F08B614034C20CCA120CE3DCAEA9B85

Function 00007FF66600FA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF66600FA59

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: e998dc72f3d1de7e1a73f2a9e0468b1245e01c9ad7a5585792533e98ee4f7bd7
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 18F06D94B09307C5FE545E65BB113B452B85FC6B80F2C5430CD0ECE3C1EE2EE6815AA8

Function 00007FF665FE20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF665FE207E), ref: 00007FF665FE20F6

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 809f954f6d2c0985069a0050e4d270ef206beb7b0eb1ad9b27fb65acd1182183
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 33F06D22A09682E5FB248B20E8426696771EB54FB8F494335D7398A1D4DF39DA958B00

Function 00007FF66600D94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF66600D98A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: d3dfb9c882fb12ecf7956b68c7378d4397e46e354abd197c7c926eed54b5b11e
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: F5F05810B19207C5FF146EB17A602B466B09F847A0F081634D92ECE2C1DE2EA4808AA1

Non-executed Functions

Function 00007FF665FDC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FDDE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF665FDCF4B), ref: 00007FF665FDDE27
Part of subcall function 00007FF665FDDE04: GetLastError.KERNEL32 ref: 00007FF665FDDE88
Part of subcall function 00007FF665FDDE04: CloseHandle.KERNEL32 ref: 00007FF665FDDE9B

wcscpy.LIBCMT ref: 00007FF665FDCBC8
wcscpy.LIBCMT ref: 00007FF665FDCBFE
CreateFileW.KERNEL32 ref: 00007FF665FDCC38
DeviceIoControl.KERNEL32 ref: 00007FF665FDCD01
CloseHandle.KERNEL32 ref: 00007FF665FDCD12
GetLastError.KERNEL32 ref: 00007FF665FDCD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF665FDCD7D
DeleteFileW.KERNEL32 ref: 00007FF665FDCD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDCED7

Strings

UNC\, xrefs: 00007FF665FDC53F, 00007FF665FDC55D
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF665FDC34F
\??\, xrefs: 00007FF665FDC392, 00007FF665FDC3B8
SeRestorePrivilege, xrefs: 00007FF665FDC343

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 5e44b816d37aa15c8bc93fb647ff289bd59fc38e1ab6cc2ff94f4b8665b3db8a
Instruction ID: d8557d50adc7c7e9cce82c7fac3a1209998fc44a5f5938d366028531ec4bfdfe
Opcode Fuzzy Hash: 5e44b816d37aa15c8bc93fb647ff289bd59fc38e1ab6cc2ff94f4b8665b3db8a
Instruction Fuzzy Hash: 0662B262F18682C5FB009BB4E5452BD2371EB85BA4F504331DA6D9BAD9DF3CE984CB40

Function 00007FF665FEF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF665FF0528

Part of subcall function 00007FF665FEAAE0: LoadStringW.USER32 ref: 00007FF665FEAB67
Part of subcall function 00007FF665FEAAE0: LoadStringW.USER32 ref: 00007FF665FEAB80

Part of subcall function 00007FF665FFB0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF665FF0429), ref: 00007FF665FFB110
Part of subcall function 00007FF665FFB0DC: SetLastError.KERNEL32 ref: 00007FF665FFB153

Part of subcall function 00007FF665FD129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FD1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF0490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF0496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF04F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF0532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF0538

Strings

%ls, xrefs: 00007FF665FEF3AC, 00007FF665FEF3FF
%s: %s, xrefs: 00007FF665FEFC11

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: 9b0d0f946a2626f580f858c3f49b622192f0469af18ec8d17628c736e928748c
Instruction ID: 710226da56302d45dbf1b83a1526087ca4c325ed43cc455797aa6d8cb256ef33
Opcode Fuzzy Hash: 9b0d0f946a2626f580f858c3f49b622192f0469af18ec8d17628c736e928748c
Instruction Fuzzy Hash: EAB2CF62958682D1EA109B25E5561BEA331FFC5B90F104336E6DD8FBD6EE7CE940CB00

Function 00007FF666012550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666012C12
memcpy_s.LIBCMT ref: 00007FF6660135BF
memcpy_s.LIBCMT ref: 00007FF666013666

Part of subcall function 00007FF6660138BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6660138EE

memcpy_s.LIBCMT ref: 00007FF66601372F

Part of subcall function 00007FF66600D008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF66600D02D

Strings

1#IND, xrefs: 00007FF6660137AA
1#SNAN, xrefs: 00007FF6660137C9
1#QNAN, xrefs: 00007FF6660137E8
1#INF, xrefs: 00007FF666013807

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: da36d2206a690b22097bddcd516b47b528c80cbf428477abbf8111388fc71430
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: 69B2DA72A08182CBE7298EA5E6406FD77B5FB4878CF505135DA099FB84DF3AE9448F40

Function 00007FF665FE1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF665FE1A97
GetLongPathNameW.KERNEL32 ref: 00007FF665FE1AE0
GetShortPathNameW.KERNEL32 ref: 00007FF665FE1B21
GetShortPathNameW.KERNEL32 ref: 00007FF665FE1B6A

Part of subcall function 00007FF665FF13C4: CompareStringW.KERNEL32 ref: 00007FF665FF13E3

MoveFileW.KERNEL32 ref: 00007FF665FE1DFE
MoveFileW.KERNEL32 ref: 00007FF665FE1E65

Part of subcall function 00007FF665FE2134: CreateFileW.KERNEL32 ref: 00007FF665FE223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE1FED

Strings

rtmp, xrefs: 00007FF665FE1CF4, 00007FF665FE1D03

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 1ffb243e08b8fb519680c97ae3cffafb4c96412676108627d27e6b4ac5b9e215
Instruction ID: 0d103b35c5b3f27f48a4cd3652a88a5601edf5c7f5e2d2141d13add41c57885f
Opcode Fuzzy Hash: 1ffb243e08b8fb519680c97ae3cffafb4c96412676108627d27e6b4ac5b9e215
Instruction Fuzzy Hash: 62F1B322B18A82D1EB10DB65D4815FD7771FB85B94F501232EA4DCBAA9DF3CE984CB40

Function 00007FF665FE5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF665FE5BC2
GetFullPathNameW.KERNEL32 ref: 00007FF665FE5C0E
GetFullPathNameW.KERNEL32 ref: 00007FF665FE5D2B
GetFullPathNameW.KERNEL32 ref: 00007FF665FE5D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE5EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE5EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE5EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE5EF2

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: 1e7c5ac9d18d4859634b67c516166c1ae8f0dcc4e332a300e03a2fc1b19988e3
Instruction ID: 046b4992fc2860233ab1ea1b5780a2dfcc873d0b973a56c9d7b0ff06df33f5c0
Opcode Fuzzy Hash: 1e7c5ac9d18d4859634b67c516166c1ae8f0dcc4e332a300e03a2fc1b19988e3
Instruction Fuzzy Hash: D0A1C262F15A92D4FE109BB9D8451BC2331AB45FE4B144231DE2EAFBC9DE3CE8818640

Function 00007FF666003170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF66600318C
RtlCaptureContext.KERNEL32 ref: 00007FF6660031B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6660031D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF666003214
IsDebuggerPresent.KERNEL32 ref: 00007FF666003268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF666003289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF666003294

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: 210aee0721c1d0693c6a20f9901d1dbcad9e7d97e52d26b12c2b793bad85e739
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: 78315272609B82DAEB648F60F8507ED7370FB48748F444439DA4D8BA99DF39D649CB10

Function 00007FF6660076D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF666007751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF666007769
RtlVirtualUnwind.KERNEL32 ref: 00007FF6660077A4
IsDebuggerPresent.KERNEL32 ref: 00007FF6660077DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6660077E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6660077F2

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 4f399c2b45c6f57efcb76333c6c3806952d604e6a93ad0527e7ae3a6a33d1867
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: E7318F32608B81D6EB648F65F8406AE73B0FB88758F540135EA8D8BB99DF3DD545CB40

Function 00007FF665FD1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD1EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD1EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD1EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FD1EBB

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 42edc099a2e17b02c0b0cf95a9f909a88c5519e6dc28ef395e63bef3918fefcd
Instruction ID: 90d043f1c2e105b15bb29a9e42f7db24fa8de52412aed5e030e27da08be89d97
Opcode Fuzzy Hash: 42edc099a2e17b02c0b0cf95a9f909a88c5519e6dc28ef395e63bef3918fefcd
Instruction Fuzzy Hash: FBB1BE62A14B86C5EB109B65E8456ED7371FB89B84F405331EA4D8BB9ADF3CE940CB00

Function 00007FF66600FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF66600FAC4

Part of subcall function 00007FF666007934: GetCurrentProcess.KERNEL32(00007FF666010CCD), ref: 00007FF666007961

Strings

., xrefs: 00007FF66600FEE4
*?, xrefs: 00007FF66600FAEB

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: 85c638b9631bb900d3f3acdcea3b4d19ecc728b8e73e51573e7aa09e154adb25
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: EC511462B14B95C5EF10DFA2AA114B867B8FB88BD8B444531DE1D8FB84EF3DD0428B44

Function 00007FF666012080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF66601210B

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 70dd2407c5d351f520f9f7ba53b6427db9887b3de33139c8ed8287c687138d38
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: 08D1A432B18286C7DB24CF55B28466AB7A1F799788F148134DB4E9BB44DE3DE881CB00

Function 00007FF665FDB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF665FDBA9D), ref: 00007FF665FDB6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF665FDBA9D), ref: 00007FF665FDB719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF665FDBA9D), ref: 00007FF665FDB743

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: 119211ddc7b6fb12aab8d084d8be9c567e68fac460e73e6167fd4698e7690981
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: D301FF7160C746C2E7509F62F95517AA3A5FB89BC4F484134EA8E8BB45CE3DDA058F40

Function 00007FF66600FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF66600FEE4

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: 3c665224e027c6ac7b1d24a7e47b29ab00f3a85da015723b881fe5f4dcf03a2f
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: E8313B22B086D185FB208E32B9057B9BAA5AB84BE4F148235DE5C8FBC6DE3DD5018744

Function 00007FF666015AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF666015D45
RaiseException.KERNEL32 ref: 00007FF666015D56

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: dd36a2d482a56c450c71d22a8885b7f96317d6752e88f931c248d0d6c5d45efa
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: 0EB137B7600B85CAEB168F69D9863687BB0F744B4CF158931DA5D8B7A4CF3AD451CB00

Function 00007FF665FF8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FF85E0: GetDC.USER32 ref: 00007FF665FF85EC
Part of subcall function 00007FF665FF85E0: GetDeviceCaps.GDI32 ref: 00007FF665FF85FD
Part of subcall function 00007FF665FF85E0: ReleaseDC.USER32 ref: 00007FF665FF860A

GetObjectW.GDI32 ref: 00007FF665FF8E48

Part of subcall function 00007FF665FF90B0: GetDC.USER32 ref: 00007FF665FF90D9
Part of subcall function 00007FF665FF90B0: GetObjectW.GDI32 ref: 00007FF665FF9107
Part of subcall function 00007FF665FF90B0: ReleaseDC.USER32 ref: 00007FF665FF91BB

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: 49bd8f4b1cb4debc2d6e7811b869b8301c92545c82aee4ef03687688d2306864
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: F581E836B18A05D6EB208FAAE5456AD7771FB88F88F004132DE0D9BB64DF39D545CB40

Function 00007FF665FFA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF665FFA315
GetNumberFormatW.KERNEL32 ref: 00007FF665FFA371

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: 2dcb3eee93a58d6bfa4cbf2ca19cd4ceea659cf0f72ac489295846d0ad8a89c7
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: A9113832A08B81D5E6618B11F5006E97374FF88B48F844135DA4D8BA54EF3DA545CB44

Function 00007FF665FE126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FE24C0: CreateFileW.KERNELBASE ref: 00007FF665FE259B
Part of subcall function 00007FF665FE24C0: GetLastError.KERNEL32 ref: 00007FF665FE25AE
Part of subcall function 00007FF665FE24C0: CreateFileW.KERNEL32 ref: 00007FF665FE260E
Part of subcall function 00007FF665FE24C0: GetLastError.KERNEL32 ref: 00007FF665FE2617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE15D0

Part of subcall function 00007FF665FE3980: MoveFileW.KERNEL32 ref: 00007FF665FE39BD
Part of subcall function 00007FF665FE3980: MoveFileW.KERNEL32 ref: 00007FF665FE3A34

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: f4ba19db134fffdb72e5179b0e3b1489712cd3e3a676d213efa016387a492e8d
Instruction ID: 4493ca28a189030d7f83e7b81ba7cb75db8e0984ced1dc9f1b7e29e6ceef8e06
Opcode Fuzzy Hash: f4ba19db134fffdb72e5179b0e3b1489712cd3e3a676d213efa016387a492e8d
Instruction Fuzzy Hash: E391AF22B18686D2EB10DB66E8466AE7371FB45FC4F404032EE0E9BB95DF39D945CB40

Function 00007FF665FE51A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF665FE51D5

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction ID: 0f9de3d983ca1f4cf7429b1d1728cda40848ca30be17a2136f02796ea03fff73
Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction Fuzzy Hash: 4F010271A0D683CAE6648B00FA41A7A33B1FB98719F500235D65ECF794DF3DE9048E40

Function 00007FF666008C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF666008DD3

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: b25ad602d87dbf72a26cd99fdce5f5df703bc33687965e40c4cd29e55fc4d5e0
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: 7C81D121A18242E6EEA88E25A24067D23B0FF60744F141A33DD09CF695DF3FE946CF81

Function 00007FF6660089A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF666008B3A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: 63254e61ffc88a9cc80fbb95ed59e769c8aaa49efa0f568785562ec2f9c2c933
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: BA71C421A0C642E6FE688E19A24027E27B0BF42744F241535DD49CFAD6CF2FE8468FC1

Function 00007FF665FEC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF665FEC97B

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: 1d7770ba42edac4a26b6250e8fe0c90f873ad42fd6b4a6cef1dc118b3c618bb8
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: 0E518F376286908BD724CF25E401A9AB7A5F388758F445126EE4A97B09CF39E945CF40

Function 00007FF66600C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF66600C874

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 7cdcaa0ca10c37e5660e3d3aedda5c5b394d4902fae15617b6e030de516ef192
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: 8041BD32714A45C6EE04CF2AE6182A9B3A5EB58FD4B499136DE1DCF794EE3DD042C740

Function 00007FF666010D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF666010D24

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: 29716a89fbe12dcc76525bd9ef328c4e39ddd8af5efe8663566248e702abb955
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: 92B09220E17A02C2EA082B51BE8225462B4BF48701F988038C50C99320EE2E25A64B00

Function 00007FF665FF3964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
Instruction ID: e1d4513f83c97f132645a2dfd22d1e1ee7b46da89fc2cf30bb3a22c450ff07e1
Opcode Fuzzy Hash: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
Instruction Fuzzy Hash: D88215A3A096C1C6D705CF29D5092BC7BB1E795F88F198136CA8E8BB85DE3CD845CB11

Function 00007FF665FD76C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: f25f632bbbe48ff4ec28e41b0dd534875c6f3a64874fd8a1247188d6c2f393e6
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: FF627D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF665FF53F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
Instruction ID: 2126f23bd67bb93ed0a7bbe8f645d57f1c110cf08ec6e66ed7fc170aca3b3860
Opcode Fuzzy Hash: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
Instruction Fuzzy Hash: 5082E0B3A096C18ADB24CE28D4556FC7BB1E795F48F19C136CA4D8BB89DE38D845CB10

Function 00007FF665FEBB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 077a7a9b5b79e568bb5eccac62bba6350d77ea163457f78b1f89b39968269dae
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: 3422F373B206508BD728CF25D89AA5E3766F798744B4B8228DF0ACB789DF39D505CB40

Function 00007FF665FF4B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: 83feaf36c310c17697ea4461b911a4f256aa4bdfabbdd1705ae8af8afc6f84f8
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 6832AF72A085918BE718CF28D555ABC37B1F794B48F05C139DA8A8BB89DF3CAC55CB40

Function 00007FF665FD7288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: 0236ae64cefa3c088cbd1ff08036eefbad952eb068d9f6ea04fc8ce32a38ed26
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: 48C19BB7B281908FE350CF7AE400A9D3BB1F39878CB519125DF59A7B09D639EA45CB40

Function 00007FF665FF2D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: 46ad899609bea9b448f6a9e49637b40ef64b0218a019551902adee7a170b5ac6
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: 64A12372A081C2C6EB15CA24D8467FD27A1EBD0B48F554135DA8A8FBC6DE3DEC41CB51

Function 00007FF665FEAF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 5bb39d97497016d379882e54cb448f8e59fb33f65f3db71e34d641208694cf3c
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: B0C10673A292E08DE302CBB5A4248FD3FF1E71D74DB464151EF9667B4AD9285201DF60

Function 00007FF665FDA310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: 548494e5b27419ab5fa9add5fb48527ae3e12bfca186e5fce7c01b07e5ff3a1a
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 28912262B186C196EB11CF29D4426FD2771FF95B88F440131EF4E8BA59EE39DA06CB00

Function 00007FF665FEB534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: 76f76def74f975455c315f1d9f93965a57b6ce827a37bcb0011c0c1b63c898b9
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: A4611723B182D599EB11CF75C6014FD7FB1A71AB84B458872CE999B646CE3CE906CF10

Function 00007FF665FF21D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: b8d660891d6a70b16b90524fb32b684c13160cdb5d992840447af7081658c0fb
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: 1C510473B181918BE7298F28E905B7D3761F794B48F454134DB498BA89DE3EE941CF00

Function 00007FF665FF2AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: c36b0678a4f0d87fc5e04026a27cfd91b248fff0fcc87420ffff0fc7d01a7f6e
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: 3631C3B2A185C19BD718DE56D95227E77A1F784B44F048139DF4ACBB81DE3CE841CB10

Function 00007FF6660158E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction ID: 2d69617208ea8123cdee3fd61ecadb7ed3c6ead693f2832378c088a451c6777a
Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction Fuzzy Hash: 99F068B1718256CBDBA48F29F542A2977E0F708384F448039D58DCBB44DE3D94519F04

Function 00007FF666003354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: d3db07ec50c07cc6fec4b9924908e016c970d977f33792cf120e0bbcb80a01d6
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: F6A002A190CC43E0E65D8F50FAA0470B330FB58304B540031F00DCD0A4DF3EA902CB40

Function 00007FF665FDD7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDD964

Strings

::$INDEX_ROOT, xrefs: 00007FF665FDD854
::$EA_INFORMATION, xrefs: 00007FF665FDD828
::$INDEX_ALLOCATION, xrefs: 00007FF665FDD83E
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF665FDD849
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF665FDD86A
::$EA, xrefs: 00007FF665FDD81D
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF665FDD875
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF665FDD85F
::$ATTRIBUTE_LIST, xrefs: 00007FF665FDD7FC
::$FILE_NAME, xrefs: 00007FF665FDD833
::$REPARSE_POINT, xrefs: 00007FF665FDD88B
::$OBJECT_ID, xrefs: 00007FF665FDD880
::$BITMAP, xrefs: 00007FF665FDD807
::$DATA, xrefs: 00007FF665FDD812

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: fc44dbfd106e66ad26630d810067bee7702886ae7b68d41755c36eb4d41d7e9a
Instruction ID: d080c940f3125202842c1855cef70e54e02355ce7d4788328ec334f8bee4b31f
Opcode Fuzzy Hash: fc44dbfd106e66ad26630d810067bee7702886ae7b68d41755c36eb4d41d7e9a
Instruction Fuzzy Hash: 1141EA36B15F01E9EB008F60E5813E933B5EB48798F400636DA4D8BB59EF39D655CB80

Function 00007FF666002A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF666002A26
GetModuleHandleW.KERNEL32 ref: 00007FF666002A33
GetModuleHandleW.KERNEL32 ref: 00007FF666002A48
GetProcAddress.KERNEL32 ref: 00007FF666002A60
GetProcAddress.KERNEL32 ref: 00007FF666002A73
CreateEventW.KERNEL32 ref: 00007FF666002A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF666002AEB
CloseHandle.KERNEL32 ref: 00007FF666002AFD

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF666002A2C
SleepConditionVariableCS, xrefs: 00007FF666002A56
WakeAllConditionVariable, xrefs: 00007FF666002A66
kernel32.dll, xrefs: 00007FF666002A41

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 20487354d79269116a481e390385c4e9446a394804871791385bcc31531e847c
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: 08215C74E09A03E2FE559FA0FB5457463B0AF48795F940035C90ECE7A0EF3EA9868B40

Function 00007FF665FE6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE70A6

Part of subcall function 00007FF665FD2004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF665FD200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE70B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE70B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE70C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE70D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE70DC

Strings

UNC, xrefs: 00007FF665FE6BBF
\\?\, xrefs: 00007FF665FE6A57, 00007FF665FE6A66
DXGIDebug.dll, xrefs: 00007FF665FE6A18

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: daa1e37c37adf2081c091304f114c6a73fdbf020029389702496ed43c368b156
Instruction ID: 0dd6d0922c1476b6afc688ce84db047aaeac0176f99a391321950e5d521a3b9d
Opcode Fuzzy Hash: daa1e37c37adf2081c091304f114c6a73fdbf020029389702496ed43c368b156
Instruction Fuzzy Hash: 4312E122B09A86D0EB10DF64E4461AD6371EB85F88F504231EB5D8BBEADF3DD945CB40

Function 00007FF665FFA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FD129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665FD1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFA72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFA735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFA73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFA741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFA747
EndDialog.USER32 ref: 00007FF665FFA7BA

Strings

Software\WinRAR SFX, xrefs: 00007FF665FFA52B, 00007FF665FFA53A
GETPASSWORD1, xrefs: 00007FF665FFA773

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: d20c2f114c9109beee27ce5cf2a2d2fb90c2edf5e9b936924732424cb653f975
Instruction ID: 45f901c9d48e86f787a6972cfc4dd2ea5b4f4c7d5959f2ce07880763caa88fa2
Opcode Fuzzy Hash: d20c2f114c9109beee27ce5cf2a2d2fb90c2edf5e9b936924732424cb653f975
Instruction Fuzzy Hash: 93B1AF62F19782C5FB008BA4E4452BC23B2EB85B98F404235DA5CAFAD9DF3DE945C744

Function 00007FF665FF6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF665FF7E9B), ref: 00007FF665FF7080
CreateStreamOnHGlobal.COMBASE ref: 00007FF665FF70B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF7181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF7187

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF665FF6F2C, 00007FF665FF6F3B
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF665FF6ED5, 00007FF665FF6EE4
<html>, xrefs: 00007FF665FF6F13
</html>, xrefs: 00007FF665FF6F72, 00007FF665FF6F81

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 7d5a2165bcb14269ce88758dc811b505d41036279ac82267a240c61270d62392
Instruction ID: ff5a5aa3bb490fd3543453d977c747775864c968b25c05b327f88871585a80fb
Opcode Fuzzy Hash: 7d5a2165bcb14269ce88758dc811b505d41036279ac82267a240c61270d62392
Instruction Fuzzy Hash: 99819062F19A42D5FB00DBA5E5411ED6371AF84B88F400135DE1D9FA9AEE3DE90AC740

Function 00007FF66600E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF66600E7CD

Strings

inf, xrefs: 00007FF66600E6D6
NAN, xrefs: 00007FF66600E6B1
NAN(IND), xrefs: 00007FF66600E6FB
NAN(SNAN), xrefs: 00007FF66600E6E5
INF, xrefs: 00007FF66600E6C3
nan(ind), xrefs: 00007FF66600E706
nan, xrefs: 00007FF66600E6B8
nan(snan), xrefs: 00007FF66600E6F0

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 1ad08d647298da2cbdbf4dddad3e93b83445bcba12465ec4df4256d1e770b75b
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: 24418A72A09B85C9EB04CF65F9517A933B4EB18398F004136EA5C9FB94DE3ED025C784

Function 00007FF665FFF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF665FFF3CF
GetClassNameW.USER32 ref: 00007FF665FFF3FC
GetWindowLongPtrW.USER32 ref: 00007FF665FFF41D
SendMessageW.USER32 ref: 00007FF665FFF437
GetObjectW.GDI32 ref: 00007FF665FFF452
SendMessageW.USER32 ref: 00007FF665FFF487
DeleteObject.GDI32 ref: 00007FF665FFF490
GetWindow.USER32 ref: 00007FF665FFF49E

Strings

STATIC, xrefs: 00007FF665FFF402

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: f2a980c2268d4c51563cf6200bd7eba592be7bcd31ad96434addea66e11d881d
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: BA318B21B08683C2FA609B12E655BBA63B1AB89B80F440031DD4D8FB56DE3DEC06CF40

Function 00007FF665FFAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF665FFAEAE

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: 6e1261c6ac78b580a80db447305d6bdaba4bfe6471b1ed8615da4a39b2668e3e
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: 7D418B31A08A52C2FB509B12F955BB923B1AF84F85F444135D94E8FBA5CF7EAD46CB00

Function 00007FF665FEB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF665FEBA12
GetProcAddress.KERNEL32 ref: 00007FF665FEBA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF665FEBACA

Part of subcall function 00007FF665FEDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF665FEDDDF

Strings

CryptProtectMemory failed, xrefs: 00007FF665FEBA80
Crypt32.dll, xrefs: 00007FF665FEB9F0
CryptProtectMemory, xrefs: 00007FF665FEBA08
CryptUnprotectMemory failed, xrefs: 00007FF665FEBAC1
CryptUnprotectMemory, xrefs: 00007FF665FEBA1F

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction ID: 0bc999f90e21269fa789cf807e73b67bbca46b08985c997de2d4c2b99c83a24d
Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction Fuzzy Hash: 20315724A0EB87E0FA149B52FA5667563B0AF45F94F040935CC4E8F3A4DE3EE9818B04

Function 00007FF665FF87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF8DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF8DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF8DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF8DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FF8DE0

Strings

, xrefs: 00007FF665FF88BE
, xrefs: 00007FF665FF8A55

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: f2fdc83a9f6be17559bdfed1ab1fa604e61a382ff22291328a8e9483648cafea
Instruction ID: c978fd4c2ed5051010a337135b1e638b8df80e7c53b16141900364e35c73b56e
Opcode Fuzzy Hash: f2fdc83a9f6be17559bdfed1ab1fa604e61a382ff22291328a8e9483648cafea
Instruction Fuzzy Hash: 79F1CF62F15A46C0EF109B66E58A1BC2371AB84F98F405231CB6D9BBD9DF7CE981C740

Function 00007FF6660057EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF66600598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF666005CAD
abort.LIBCMT ref: 00007FF666005CE1

Strings

csm, xrefs: 00007FF6660059B1
csm, xrefs: 00007FF666005933
csm, xrefs: 00007FF6660058D1

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 64f57bca32f998875cc7ff5c68c30742d93b2bc226a26a84e4adb701010d2ea1
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: 34E1CE76908B82CAE7219F25E6803AD3BB0FB45748F144535DA8C8F696DF39E485CB80

Function 00007FF665FE4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FE4E24: SysAllocString.OLEAUT32 ref: 00007FF665FE4E5F

VariantClear.OLEAUT32 ref: 00007FF665FE5125

Strings

WQL, xrefs: 00007FF665FE502A
ROOT\CIMV2, xrefs: 00007FF665FE4F7B
Windows 10, xrefs: 00007FF665FE510A
Name, xrefs: 00007FF665FE50F9
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF665FE5017

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: 2a28364a2de1321870bd5b5c5d016f95279da3babf93ac4f4a8a569f6ed33495
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 49714A36A14B46D5EB20CF65E9806AD77B0FB88B98B045136EE4E8BB64CF3DD544CB00

Function 00007FF6660072EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6660074F3,?,?,?,00007FF66600525E,?,?,?,00007FF666005219), ref: 00007FF666007371
GetLastError.KERNEL32(?,?,00000000,00007FF6660074F3,?,?,?,00007FF66600525E,?,?,?,00007FF666005219), ref: 00007FF66600737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6660074F3,?,?,?,00007FF66600525E,?,?,?,00007FF666005219), ref: 00007FF6660073A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF6660074F3,?,?,?,00007FF66600525E,?,?,?,00007FF666005219), ref: 00007FF6660073EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF6660074F3,?,?,?,00007FF66600525E,?,?,?,00007FF666005219), ref: 00007FF6660073FB

Strings

api-ms-, xrefs: 00007FF666007391

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: 2c5f622b9bd430541bfb7d080f098dc68c0620fa73bc4dfb25d5769d8dd05c6d
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 4131B021A1A642E1FE219F06BA0067963B8FF48BA4F594635DD1D8F384EF3DF4408B50

Function 00007FF666001604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF666001573,?,?,?,00007FF66600192A), ref: 00007FF66600162B
GetProcAddress.KERNEL32(?,?,?,00007FF666001573,?,?,?,00007FF66600192A), ref: 00007FF666001648
GetProcAddress.KERNEL32(?,?,?,00007FF666001573,?,?,?,00007FF66600192A), ref: 00007FF666001664

Strings

KERNEL32.DLL, xrefs: 00007FF666001624
AcquireSRWLockExclusive, xrefs: 00007FF66600163E
ReleaseSRWLockExclusive, xrefs: 00007FF666001653

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: bfb8b0f3f66384d7c348271433f9b78a736cb3b6509fd2d812ae7b5073e13107
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 60110C31A19B03D1FE658F80BB4027463B96F0879CF4C5475C92ECE390EE7EA9448E40

Function 00007FF665FEED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FE51A4: GetVersionExW.KERNEL32 ref: 00007FF665FE51D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665FD5AB4), ref: 00007FF665FEED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665FD5AB4), ref: 00007FF665FEED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665FD5AB4), ref: 00007FF665FEEDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665FD5AB4), ref: 00007FF665FEEDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665FD5AB4), ref: 00007FF665FEEDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665FD5AB4), ref: 00007FF665FEEE05

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 8e027aa29726ec2bc8ecce375d4e2624d98d831124e30b8ff078a437ff8a9dea
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: A7516DB2B10652DAEB14CFA5E4451AC77B1F748B88B64403ADE0D9BB58DF38E955CB00

Function 00007FF665FEF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF665FEF074

Part of subcall function 00007FF665FE51A4: GetVersionExW.KERNEL32 ref: 00007FF665FE51D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF665FEF096
FileTimeToSystemTime.KERNEL32 ref: 00007FF665FEF0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF665FEF0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF665FEF0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF665FEF0CE

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: ff14e771d89b6210c9e401a46a3c346494962445ab3b9823a53a669e8f226f29
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 30311A62B10A51DDFB04CFB5E8811AC7771FB08758B54503AEE0D9BA58EF38D995CB10

Function 00007FF665FE7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE7C8C

Strings

rar, xrefs: 00007FF665FE7A9B, 00007FF665FE7AAA, 00007FF665FE7B67, 00007FF665FE7B7C
exe, xrefs: 00007FF665FE79AF, 00007FF665FE79BE
.rar, xrefs: 00007FF665FE7969, 00007FF665FE7978
sfx, xrefs: 00007FF665FE79F3, 00007FF665FE7A02

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: 2782df0ac0d906a6dfd4afc5fd13043494203347564149d90fad9f6fe0172506
Instruction ID: 96a39d6185440b26652a204da996b15fdf5681a881bd6e90542d9c0fc98d6d48
Opcode Fuzzy Hash: 2782df0ac0d906a6dfd4afc5fd13043494203347564149d90fad9f6fe0172506
Instruction Fuzzy Hash: E1A1A122A19A86E0EA049F65E8462BC2371EF44F98F401235DE1D9F6EADF3DE945C740

Function 00007FF666005CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF666005D58

Part of subcall function 00007FF666005210: abort.LIBCMT ref: 00007FF666005223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF666005DA3
abort.LIBCMT ref: 00007FF666005FD1

Strings

RCC, xrefs: 00007FF666005D74
MOC, xrefs: 00007FF666005D6C

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: 52a7943fe24cc548827623e6584013d5a17c3ab747196e8487bc1d7bb25510ec
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: B4918C77A08B81CAE7118F65E6402AD7BB0FB04788F14413AEA8D9FB59DF39D195CB40

Function 00007FF666004F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF666004FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF666005040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF666002F5E), ref: 00007FF66600508F

Strings

f, xrefs: 00007FF666004FBE
csm, xrefs: 00007FF666005026

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: 07af2cc8c3dc6b4242815cc0a782f72d2006624f7915588775b10a2e8c626304
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 14519F36A19602C6EB16CF15F644A6D77B5FB44B88F508034EA1A8F748DF7AE941CF80

Function 00007FF665FDCEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF665FDD03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDD0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDD0D7

Part of subcall function 00007FF665FDDE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF665FDCF4B), ref: 00007FF665FDDE27
Part of subcall function 00007FF665FDDE04: GetLastError.KERNEL32 ref: 00007FF665FDDE88
Part of subcall function 00007FF665FDDE04: CloseHandle.KERNEL32 ref: 00007FF665FDDE9B

Strings

SeRestorePrivilege, xrefs: 00007FF665FDCF5E
SeSecurityPrivilege, xrefs: 00007FF665FDCF3F

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 8e19f0960acccde70cdb6f4ae44bfdba7dde49cd3aecb391576d39059d5aab7f
Instruction ID: 70a0e815e9bf3f02da5e6d923ab8d6cb52d26b8854df21643b92064848eaeb4b
Opcode Fuzzy Hash: 8e19f0960acccde70cdb6f4ae44bfdba7dde49cd3aecb391576d39059d5aab7f
Instruction Fuzzy Hash: D651E262F18642D5FB00DB65E9466BD2370AF84BA4F400231DE1DDF69ADE3CAC86CB40

Function 00007FF665FF7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF665FF7B6F
GetWindowRect.USER32 ref: 00007FF665FF7BC0
ShowWindow.USER32 ref: 00007FF665FF7C96
ShowWindow.USER32 ref: 00007FF665FF7CC3

Strings

RarHtmlClassName, xrefs: 00007FF665FF7C4B

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
Instruction ID: 0493e91e6b183dba296ca32450863ba8c3431a2fce8eefca34d7b2618f8d1499
Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
Instruction Fuzzy Hash: D7517022A09B82C6EA249B25F54577AA3B0FB85B80F104535DE8E8FB55DF3DE845CF00

Function 00007FF665FFFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF665FFFD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF665FFFDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FFFE1B

Strings

sfxpar, xrefs: 00007FF665FFFDB5
sfxcmd, xrefs: 00007FF665FFFD3C

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: ce72e9bcdfddcf2667ebe4c513ec0d1727c59f1d3b739ca42450d660fec21911
Instruction ID: c73218f17a2b0313f6558ff4c6c5467f70105e9ca7608add49a6e398c576c84d
Opcode Fuzzy Hash: ce72e9bcdfddcf2667ebe4c513ec0d1727c59f1d3b739ca42450d660fec21911
Instruction Fuzzy Hash: 09318B32A14A46C4EB048BA9E8851AC7371FB88B98F141131DE5D9FBA9DE38E585CB44

Function 00007FF665FFFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00007FF665FFFF60
REPLACEFILEDLG, xrefs: 00007FF665FFFF34, 00007FF665FFFF99

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: ae1a32889499fb8e40b39bdedb60fd0beb056ae354a5bee3754816682289d0ad
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: 5721252090DA8BD1FA518B15FA4557463B0EB8AB89F640136D94DDFBA0CE3EE884CB44

Function 00007FF66600BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF66600BFD0
GetProcAddress.KERNEL32 ref: 00007FF66600BFE6
FreeLibrary.KERNEL32 ref: 00007FF66600C00B

Strings

mscoree.dll, xrefs: 00007FF66600BFC7
CorExitProcess, xrefs: 00007FF66600BFDF

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: cbc839afb680a677ab20b71c58a8fee83d7950f029211dd35ead44e73c5e28ea
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: 8BF04F62A19A42D1EF448B51F540379A370EF88798F581035E94F8E664DE3EE584CB00

Function 00007FF6660145C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF666014605

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: fb492e26daf845a36f91c2ab0f9536d0fd4cb5e797c804f38b5df22c091dfdf4
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: 9081F262F18602E5F7108FA5AA406BCA7B0BB45B8CF454136DE0EDF6A5DF3EA445CB10

Function 00007FF665FE3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF665FE3BBB
CreateFileW.KERNEL32 ref: 00007FF665FE3C24
SetFileTime.KERNEL32 ref: 00007FF665FE3CEC
CloseHandle.KERNEL32 ref: 00007FF665FE3CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE3D2C

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: ed02a809717236ee1ed586c7e858dbefa1ed7ae72bbe3c8719455611c93ecd51
Instruction ID: 159cd1fa45d513a73a3ae454c3b8a5ef4739daebcfeb74ecad55f66fbe56b285
Opcode Fuzzy Hash: ed02a809717236ee1ed586c7e858dbefa1ed7ae72bbe3c8719455611c93ecd51
Instruction Fuzzy Hash: A751C422B04A82E9FB50DBA5E4452BD63B1AB84B98F104635DE1D9F7E8DE38A945C700

Function 00007FF666013F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF666014767), ref: 00007FF666013F91
WideCharToMultiByte.KERNEL32 ref: 00007FF66601406D
WriteFile.KERNEL32 ref: 00007FF666014093
WriteFile.KERNEL32 ref: 00007FF6660140D2
GetLastError.KERNEL32 ref: 00007FF66601410A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 290ea49d8d18c8a99ab7b2f811ea49c993590a286af69b00210de621579ffbb4
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: 6551DD32A14A51D9E711CFA5E5403AC7BB0BB48B9CF048135DF0A9FAA8DF3AD156CB00

Function 00007FF666001E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF665FE4DF4), ref: 00007FF666001E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF665FE4DF4), ref: 00007FF666001F09
SysAllocString.OLEAUT32 ref: 00007FF666001F16

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
Instruction ID: 7c16b59eb1ecf5d067fb32e004f3542857a113687f81efa22ef03900136834ee
Opcode Fuzzy Hash: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
Instruction Fuzzy Hash: DE41E531A09646C6EB148FA1B64037962B5EF04BE8F144634EA6DCFBD5DF3ED1418B80

Function 00007FF66600F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF66600F536

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: 087e13e4bca77dae3584074dabb8319110fed93081cf8bd4bf8a5211e9c26322
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: B241D422B09A42D1FA159F52BA0067563B9BF84BD4F098535DE1DCF784EF3DE4409B84

Function 00007FF6660156D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6660156FF
_set_statfp.LIBCMT ref: 00007FF66601571A
_set_statfp.LIBCMT ref: 00007FF666015736
_set_statfp.LIBCMT ref: 00007FF666015772

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: d4389693a995185c8afb32da104a44cd1264dcc4617b0a3f78eb23ba65e5b0ad
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: EF11E2FEE1CA07C1F61B11E4F34337990B16F493A8F488232EA7D8E1D6DE2EA4404900

Function 00007FF665FFFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF665FFFE41
GetMessageW.USER32 ref: 00007FF665FFFE58
TranslateMessage.USER32 ref: 00007FF665FFFE63
DispatchMessageW.USER32 ref: 00007FF665FFFE6E
WaitForSingleObject.KERNEL32 ref: 00007FF665FFFE7C

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 6e184b4ddc4270889ed197abf0a161a040fa6aac056aa532f9612bd3301d3264
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 6AF03732B28486C2F7508B20F895F7A2221FFE4B06F841131EA4A8A894DE3DD949CB00

Function 00007FF66600625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF666006286
abort.LIBCMT ref: 00007FF6660064EA

Strings

csm, xrefs: 00007FF66600641A
csm, xrefs: 00007FF6660062AB

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: a0aadbe9243bd39f5676cf5b580fe47b7cb82db6653aa2ff998647c0cddaf51e
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: 1C71A072619681DAD7608F26A25077D7BB1FB05B98F048135DA4C8FA89CF3DD4D5CB80

Function 00007FF6660080F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF66600811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6660082ED

Strings

*, xrefs: 00007FF666008221
, xrefs: 00007FF666008276

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: e719ecfcee06628cf4a8600178dd81f3d754537bba21b9a6c44dd327e6e42c41
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 2B51477291CA42DAEF688E28A64437C3BB5FF05B19F141135C64A8D299CF3ED881CF85

Function 00007FF666011758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6660117CB
MultiByteToWideChar.KERNEL32 ref: 00007FF666011894
GetStringTypeW.KERNEL32 ref: 00007FF6660118AE

Strings

$%s, xrefs: 00007FF66601175A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: bedd29703434199fc54d898c9faafaa21156ec211f4c6b796b7c3dfdf549a384
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: AB41B332B15B81CAEB258F65E9002A8A2B1FB54BACF484231DE1D8F7C5DF7DE4418740

Function 00007FF6660066A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF666005210: abort.LIBCMT ref: 00007FF666005223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF66600674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF666006776

Strings

csm, xrefs: 00007FF666006876

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 56a255e35d9759157587ad3a0db4335067e563672075105cab695ffeb4148b8e
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 4D513B76628B41C7E620AF56B24026E77B4FB89B90F140535EB8D8FB55CF39E490CB80

Function 00007FF666014360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF666014446
WriteFile.KERNEL32 ref: 00007FF666014479
GetLastError.KERNEL32 ref: 00007FF66601449B

Strings

U, xrefs: 00007FF666014424

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 6c588d8c9d6622565a075fb3322f063211be8ea9d1afa3e955da42e127d74d91
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 7841A222A19A81D2EB108F65F5443BAA760FB88798F444131EE4DCF754DF7DD545CB40

Function 00007FF665FF90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF665FF90D9
GetObjectW.GDI32 ref: 00007FF665FF9107
ReleaseDC.USER32 ref: 00007FF665FF91BB

Strings

, xrefs: 00007FF665FF9153

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: 95267082e4cdc6df6e5b685bfc5327afe94c5777efb937882a508753d8c4e445
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: F731403560878286DB149F12BA18B6A7770F789FD2F504536ED4A9B754CE3DD889CB00

Function 00007FF665FEE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF665FF317F,?,?,00001000,00007FF665FDE51D), ref: 00007FF665FEE8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF665FF317F,?,?,00001000,00007FF665FDE51D), ref: 00007FF665FEE8CB
CreateEventW.KERNEL32(?,?,?,00007FF665FF317F,?,?,00001000,00007FF665FDE51D), ref: 00007FF665FEE8E4

Strings

Thread pool initialization failed., xrefs: 00007FF665FEE900

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: e92ad05ae5300e892434237a43ef85da723898f39323c93da621c89b8ff27ca2
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: AB219D32A19642C6F7108F24E4557AA33B2EB88F0DF188134CA0D8F295CF7F99458F84

Function 00007FF665FF85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF665FF85EC
GetDeviceCaps.GDI32 ref: 00007FF665FF85FD
ReleaseDC.USER32 ref: 00007FF665FF860A

Strings

, xrefs: 00007FF665FF8610

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 7b89f46926f9b72ff2c7fbe3560c1fa1c08b7bef7a743572f6de078fcb15d67b
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 8EE08C20B08683C2EB0857B6B78992A2261AB8CBD1F158536DA1A8B794CE3DCCC44B00

Function 00007FF665FDD1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF665FDD46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDD554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDD55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDD560

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 2d452471b7d5dd184fe666455331b196c35d21b330d78aced89ac185778723fc
Instruction ID: b60b99490b908b9d5fb519da68f9223449739f3483fbfa56671dbf8f612291ba
Opcode Fuzzy Hash: 2d452471b7d5dd184fe666455331b196c35d21b330d78aced89ac185778723fc
Instruction Fuzzy Hash: B6A1D362A18682D1EB10DF65E8421BD6371FB85B84F405231EA5D8FAE9DF3DE944CF40

Function 00007FF665FF0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF665FF05FC
SetLastError.KERNEL32 ref: 00007FF665FF0697

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 25819bbde86230c00c876be8c9dac5eedcee3915eb1a00923d8757575eef845b
Instruction ID: a5b7b7c7f15bc2ab96981beb707da75f97571b3f44b90b8419f09590a14cde67
Opcode Fuzzy Hash: 25819bbde86230c00c876be8c9dac5eedcee3915eb1a00923d8757575eef845b
Instruction Fuzzy Hash: 5351B072B14A46D9FB009F65E5462EC2331EB84B98F404232DA5D9FBD6EE7CEA44C740

Function 00007FF665FF9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF665FF9DBC
GetLastError.KERNEL32 ref: 00007FF665FF9E08
CreateDirectoryW.KERNEL32 ref: 00007FF665FF9F10
LocalFree.KERNEL32 ref: 00007FF665FF9F20

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
Instruction ID: 586414cb2151bcfb8eeae46a76b24a107972fb6b1e8832f4d3577b74a906bc13
Opcode Fuzzy Hash: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
Instruction Fuzzy Hash: 5A515C32A18B82D6EB408F61E6447AE73B4FB84B84F501136EA4D9BA54DF3DD944CF40

Function 00007FF66600DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF66600DBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF66600DC81
GetLastError.KERNEL32 ref: 00007FF66600DCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF66600DCD6

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: 65566b5fd38ed5764bfa887e6850544dc5a8d8f75990154ebc648fe57b05f2d8
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: 00418431A08683C6F7659F10B254779A6B0EF80B90F148531DB4D8EAD5DF7EE8418F90

Function 00007FF665FE3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF665FE39BD
MoveFileW.KERNEL32 ref: 00007FF665FE3A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE3AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE3AF1

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 1e191b709e62ef26e60e8f1d0cc24d6cdbe4e9a67f5d62f6318cd10f240089dc
Instruction ID: af79f14c2460495efa9e8008c1a789a0d5f2f4017e3b226368b022f6f6df9234
Opcode Fuzzy Hash: 1e191b709e62ef26e60e8f1d0cc24d6cdbe4e9a67f5d62f6318cd10f240089dc
Instruction Fuzzy Hash: 4B419F62F14691D4FB00CFA5E88A1AC2372BB44B98B105231DE5D9FAA9DF39E885C640

Function 00007FF666010B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF66600C45B), ref: 00007FF666010B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF66600C45B), ref: 00007FF666010BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF66600C45B), ref: 00007FF666010C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF66600C45B), ref: 00007FF666010C57

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 5778d3a7c3e9195529c7041f2a4827c926f605069893b487f2405050348dae44
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: B5218031B1CB52C1E6249F527550029B6B4FB94BD4B084534DE8EAFBA4DF3DE4628B40

Function 00007FF66600D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF666007F28,?,?,?,00007FF666009D35), ref: 00007FF66600D44A
SetLastError.KERNEL32(?,?,?,00007FF666007F28,?,?,?,00007FF666009D35), ref: 00007FF66600D4B2
SetLastError.KERNEL32(?,?,?,00007FF666007F28,?,?,?,00007FF666009D35), ref: 00007FF66600D4C8
abort.LIBCMT ref: 00007FF66600D4CE

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: 2fafb9099df7b0d1fd8ecf7d5db1d3869f345999d1f88cba807b4db143d967cb
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: 18019E20B09606D3FA99AF61B75923C22B19F44790F044538DD1ECE7D6ED2EF8004E60

Function 00007FF665FF8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF665FF8598
GetDeviceCaps.GDI32 ref: 00007FF665FF85AE
GetDeviceCaps.GDI32 ref: 00007FF665FF85C2
ReleaseDC.USER32 ref: 00007FF665FF85D3

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: c05f80916615862600abb98c33513fd54e860e47097f174efd67aeccd111b631
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 68E0E560E09643C2FF085B717A595751170AF48743F08493AC81F9E350DD3DAC85CA14

Function 00007FF665FDE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FDE549

Strings

DXGIDebug.dll, xrefs: 00007FF665FDE35A

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: 29c3812da8397d74a7501658cc2389868464bc71a0304964e69ab8611b481b8c
Instruction ID: cc9c136411acf1c39d49821f317387219cf1ab06bd750a334911e5ee72316835
Opcode Fuzzy Hash: 29c3812da8397d74a7501658cc2389868464bc71a0304964e69ab8611b481b8c
Instruction Fuzzy Hash: 8071B972A14B81C2EB148F25E9413ADB3B8FB54B94F004236DBAC4BB95DF38E561C300

Function 00007FF66600E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF66600E237

Strings

e+000, xrefs: 00007FF66600E2DF
gfff, xrefs: 00007FF66600E362

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 5133ab9a352f5711367424700fd0ad3e62ef79900b0ff02481aac8f66dde2146
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: 2B51F962B187C2C6E7258F35AA413696BA1E785B90F089231C79CCFBD6CF2ED444CB40

Function 00007FF665FE9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FE95A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665FE95E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665FE95A2

Strings

SIZE, xrefs: 00007FF665FE9443

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: e0bc738575b9dfc7518a9e38475377609f14f4f1dbbb3954c7928ccc9b577437
Instruction ID: 6a4c615f384f24c54ff5746c39539efaff3c7b8adc5dd9ffcfa9daf81af32c22
Opcode Fuzzy Hash: e0bc738575b9dfc7518a9e38475377609f14f4f1dbbb3954c7928ccc9b577437
Instruction Fuzzy Hash: 7B41A262A28782D5EA10DF14E5423BD6370EF85B94F504231EA9D8F6D6EE3DE941CB10

Function 00007FF66600C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF66600C2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF666002CD5), ref: 00007FF66600C30B

Strings

C:\Users\user\Desktop\0438.pdf.exe, xrefs: 00007FF66600C2F9

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\0438.pdf.exe
API String ID: 3307058713-792344357
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: ac1821789280c79b7715cfea84f319a122b2a3076b572a92b8f1a1ba48b0f87d
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: 29417F72A18A52CAEB159F25F6400BC77B4FF44794B444036E94E8FB95DE3EE841CB90

Function 00007FF665FF9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665FD255C: GetDlgItem.USER32 ref: 00007FF665FD25AC
Part of subcall function 00007FF665FD255C: SetWindowTextW.USER32 ref: 00007FF665FD25C8

EndDialog.USER32 ref: 00007FF665FF9C24
SetDlgItemTextW.USER32 ref: 00007FF665FF9CAA

Strings

ASKNEXTVOL, xrefs: 00007FF665FF9B72

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction ID: 7e03d7d9ddec14898cf5e933e33ae994a110e5bb1964c9341faada19e5804fb2
Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction Fuzzy Hash: EF418122A08683C1FA14AF12E6516B963B1AF85FC4F140135DE4D9FBA9DE3DED45CB40

Function 00007FF665FE9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665FE96EA

Part of subcall function 00007FF665FF0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF665FF0F99

Strings

@%s, xrefs: 00007FF665FE96CE
$%s, xrefs: 00007FF665FE96D7

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: cde327cbd47c81d6a43f1ec88db4bd6fe4ed2b3d20c7f4cdc79497a22e363529
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 6131C572B18A8AD5EE108F66E6416E963B4FB45B84F401032EE0D8F795DE3DE945CB40

Function 00007FF66600EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF66600EB76
GetFileType.KERNEL32 ref: 00007FF66600EB8C

Strings

@, xrefs: 00007FF66600EBB7

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: 1810846c52234dc41614b1325eb4ee5a80586eba0b0fd4c3c8eb42efbf684375
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: CE216822A0CBC2C1EB648F25A59013A6671EB45774F281335D66F9F7D4DE3ED881C781

Function 00007FF666004078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF666001D3E), ref: 00007FF6660040BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF666001D3E), ref: 00007FF666004102

Strings

csm, xrefs: 00007FF6660040EF

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 92c046ea0599f63e918c1b1af7d0edcea7c9f7dfb79c52e89b8a69e9e126c537
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: 41114922A08B41D2EB208F15F540269B7B0FB98B84F184230DA8D4B754DF3ED551CB40

Function 00007FF665FEEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF665FEE95F,?,?,?,00007FF665FE463A,?,?,?), ref: 00007FF665FEEA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF665FEE95F,?,?,?,00007FF665FE463A,?,?,?), ref: 00007FF665FEEA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF665FEEA78

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: 74993f2bc6b7bc9ca8fd314b1c101139369226fccd26b80487b0be6778245ab7
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: 93E0E521E1A842D1E600AB60FD425682230BF60BA4F900371D03ECE1E19E2EAA498F40

Function 00007FF665FEA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF665FEA447
FindResourceW.KERNEL32 ref: 00007FF665FEA45D

Strings

RTL, xrefs: 00007FF665FEA453

Memory Dump Source

Source File: 00000000.00000002.1746165905.00007FF665FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665FD0000, based on PE: true

Associated: 00000000.00000002.1745999553.00007FF665FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746242519.00007FF666018000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF66602B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746275364.00007FF666034000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1746329426.00007FF66603E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665fd0000_0438.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: 1b35dd85724826a4929c0d7d793e217819493610f452bc8e09df5eccf1b351a4
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: B7D01792F09642D2FF198BB1A44973466B15B18B45F485038C95A8E390EE3E9588CB50

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0438.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5ded5b.rbs

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Windows Analysis Report
0438.pdf.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre