Edit tour

Windows Analysis Report
0438.pdf.exe

Overview

General Information

Sample name:	0438.pdf.exe renamed because original name is a hash value
Original sample name:	.pdf.exe
Analysis ID:	1543801
MD5:	2d11dba46735af1cb1c0a42e9564e20d
SHA1:	b2e17960c6d080f7aba7df87f57c08b4bc2e7051
SHA256:	e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Suspicious Double Extension File Execution

Connects to many ports of the same IP (likely port scanning)

Enables network access during safeboot for specific services

Enables remote desktop connection

Initial sample is a PE file and has a suspicious name

Uses an obfuscated file name to hide its real file extension (double extension)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0438.pdf.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\0438.pdf.exe" MD5: 2D11DBA46735AF1CB1C0A42E9564E20D)

msiexec.exe (PID: 6944 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)

Acrobat.exe (PID: 7020 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6092 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 6712 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1576,i,6061207058783302797,5194887840937353,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

msiexec.exe (PID: 7068 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

ROMFUSClient.exe (PID: 7872 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 8016 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 8116 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 8164 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 7144 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)

ROMServer.exe (PID: 7064 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)

svchost.exe (PID: 7104 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ROMServer.exe (PID: 7076 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)

ROMFUSClient.exe (PID: 7988 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)

ROMFUSClient.exe (PID: 8008 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.ROMFUSClient.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
9.0.ROMServer.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0438.pdf.exe, NewProcessName: C:\Users\user\Desktop\0438.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0438.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\0438.pdf.exe", ProcessId: 6660, ProcessName: 0438.pdf.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 111.90.140.76, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Initiated: true, ProcessId: 7076, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49874

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7104, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: 0438.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EEB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665EEB190
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ED40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665ED40BC
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EFFCA0 FindFirstFileExA,	0_2_00007FF665EFFCA0

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 111.90.140.76 ports 5651,8080,1,465,5,6,80

Enables network access during safeboot for specific services

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry value created: NULL Service

Source: global traffic	TCP traffic: 192.168.2.4:49871 -> 111.90.140.76:5651
Source: global traffic	TCP traffic: 192.168.2.4:49876 -> 65.21.245.7:5555

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.140.76

Source: global traffic

DNS traffic detected: DNS query: x1.i.lencr.org

Source: AledensoftIpcServer.dll.3.dr, ROMwln.dll.3.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000005.00000002.3412122782.0000023FA5600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000005.00000003.1771637769.0000023FA5818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1771637769.0000023FA5818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1771637769.0000023FA5818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1771637769.0000023FA584D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 5141a4.rbs.3.dr	String found in binary or memory: http://litemanager.com/
Source: ROMFUSClient.exe, 00000010.00000002.3606716114.0000000002983000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/03
Source: ROMServer.exe, 0000000F.00000002.3606364288.0000000001773000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/03w
Source: ROMServer.exe, 0000000F.00000002.3606364288.000000000176C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3606716114.000000000297C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://litemanager.com/1
Source: ROMFUSClient.exe, 00000007.00000000.1834516823.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1848189601.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Ukrainian.lg.3.dr, Russian.lg.3.dr	String found in binary or memory: http://litemanager.ru/
Source: Ukrainian.lg.3.dr	String found in binary or memory: http://litemanager.ru/forum/ru/memberlist.php?mode=viewprofile&u=977.
Source: ROMServer.exe, 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://litemanager.ru/noip.txtU
Source: AledensoftIpcServer.dll.3.dr, ROMwln.dll.3.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 5141a4.rbs.3.dr	String found in binary or memory: http://www.LiteManagerTeam.com
Source: ROMFUSClient.exe, 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMFUSClient.exe, 00000007.00000003.1853231064.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000009.00000003.1850203236.0000000002907000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000009.00000000.1843565844.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe, 0000000A.00000003.1864973686.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000003.1862661234.0000000002947000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000D.00000003.1902208763.0000000002887000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.1897803392.00000000027E7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000002.3606364288.00000000016D7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3606716114.00000000028E7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3606084225.00000000027B7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.3.dr	String found in binary or memory: http://www.indyproject.org/
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 2D85F72862B55C4EADD9E66E06947F3D0.4.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000005.00000003.1771637769.0000023FA58C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1771637769.0000023FA58C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: ROMFUSClient.exe, 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.dr	String found in binary or memory: https://litemanager.com/romversion.txt
Source: ROMFUSClient.exe, 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.dr	String found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
Source: svchost.exe, 00000005.00000003.1771637769.0000023FA58C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 0438.pdf.exe

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665ECC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF665ECC2F0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5141a2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46B3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5141a5.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5141a5.msi	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\5141a5.msi

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ECF930	0_2_00007FF665ECF930
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ED4928	0_2_00007FF665ED4928
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF0754	0_2_00007FF665EF0754
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EEB190	0_2_00007FF665EEB190
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EDA4AC	0_2_00007FF665EDA4AC
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE3484	0_2_00007FF665EE3484
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE1F20	0_2_00007FF665EE1F20
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EECE88	0_2_00007FF665EECE88
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EC5E24	0_2_00007FF665EC5E24
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EC76C0	0_2_00007FF665EC76C0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665F02550	0_2_00007FF665F02550
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EC4840	0_2_00007FF665EC4840
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EFC838	0_2_00007FF665EFC838
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ECA310	0_2_00007FF665ECA310
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ECC2F0	0_2_00007FF665ECC2F0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EC7288	0_2_00007FF665EC7288
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ED126C	0_2_00007FF665ED126C
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE21D0	0_2_00007FF665EE21D0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EDF180	0_2_00007FF665EDF180
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EDB534	0_2_00007FF665EDB534
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE53F0	0_2_00007FF665EE53F0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EDAF18	0_2_00007FF665EDAF18
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE8DF4	0_2_00007FF665EE8DF4
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF0754	0_2_00007FF665EF0754
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE2D58	0_2_00007FF665EE2D58
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665F02080	0_2_00007FF665F02080
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665F05AF8	0_2_00007FF665F05AF8
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE2AB0	0_2_00007FF665EE2AB0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EC1AA4	0_2_00007FF665EC1AA4
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EFFA94	0_2_00007FF665EFFA94
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ED1A48	0_2_00007FF665ED1A48
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF89A0	0_2_00007FF665EF89A0
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EDC96C	0_2_00007FF665EDC96C
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE3964	0_2_00007FF665EE3964
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF8C1C	0_2_00007FF665EF8C1C
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EE4B98	0_2_00007FF665EE4B98
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EDBB90	0_2_00007FF665EDBB90
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ED5B60	0_2_00007FF665ED5B60

Source: ROMViewer.exe.3.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe.3.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ROMServer.exe0.3.dr	Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ROMServer.exe0.3.dr	Static PE information: Number of sections : 11 > 10
Source: ROMServer.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: ROMViewer.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: ROMFUSClient.exe.3.dr	Static PE information: Number of sections : 11 > 10

Source: ROMViewer.exe.3.dr

Static PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'

Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916A97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916A97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs 0438.pdf.exe
Source: 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@37/79@1/3

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665ECB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF665ECB6D8

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665EE8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF665EE8624

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5012

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray

Source: C:\Users\user\Desktop\0438.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5323234

Jump to behavior

Source: Yara match	File source: 7.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED

Source: 0438.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\0438.pdf.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

File read: C:\Users\user\Desktop\0438.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0438.pdf.exe "C:\Users\user\Desktop\0438.pdf.exe"
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1576,i,6061207058783302797,5194887840937353,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: unknown	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1576,i,6061207058783302797,5194887840937353,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"

Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: pcacli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: avifil32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iccvid.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: iyuv_32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msrle32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msvidc32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: tsbyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: msyuv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: avicap32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: msvfw32.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Section loaded: winmmbase.dll

Source: C:\Users\user\Desktop\0438.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Start LM-Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Uninstall LiteManager - Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
Source: Stop LM-Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Source: Settings for LM-Server.lnk.3.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0438.pdf.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0438.pdf.exe

Static file information: File size 11654747 > 1048576

Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0438.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 0438.pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 0438.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe

Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0438.pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\0438.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5323234

Jump to behavior

Source: 0438.pdf.exe	Static PE information: section name: .didat
Source: 0438.pdf.exe	Static PE information: section name: _RDATA
Source: ROMViewer.exe.3.dr	Static PE information: section name: .didata
Source: ROMFUSClient.exe.3.dr	Static PE information: section name: .didata
Source: ROMwln.dll.3.dr	Static PE information: section name: .didata
Source: ROMServer.exe.3.dr	Static PE information: section name: .didata
Source: HookDrv.dll.3.dr	Static PE information: section name: .didata
Source: ROMServer.exe0.3.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665F05166 push rsi; retf		0_2_00007FF665F05167
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665F05156 push rsi; retf		0_2_00007FF665F05157

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\romserver.exe

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: 0438.pdf.exe

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettings

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Window / User API: threadDelayed 2360
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Window / User API: threadDelayed 7446

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 6880	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6880	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 5348	Thread sleep count: 51 > 30
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8104	Thread sleep time: -1180000s >= -30000s
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8104	Thread sleep time: -3723000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EEB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665EEB190
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665ED40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF665ED40BC
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EFFCA0 FindFirstFileExA,	0_2_00007FF665EFFCA0

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665EF16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF665EF16A4

Source: svchost.exe, 00000005.00000002.3411497699.0000023FA002B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3412201732.0000023FA5645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3412270652.0000023FA5657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ROMFUSClient.exe, 00000010.00000002.3605366567.0000000000C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: ROMServer.exe, 0000000F.00000002.3605481052.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: ROMFUSClient.exe, 00000011.00000002.3605532030.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665EF76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF665EF76D8

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665F00D20 GetProcessHeap,

0_2_00007FF665F00D20

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start

Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF665EF76D8
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF665EF3170
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF665EF2510
Source: C:\Users\user\Desktop\0438.pdf.exe	Code function: 0_2_00007FF665EF3354 SetUnhandledExceptionFilter,	0_2_00007FF665EF3354

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665EEB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF665EEB190

Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\0438.pdf.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"	Jump to behavior
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Process created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665F058E0 cpuid

0_2_00007FF665F058E0

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF665EEA2CC

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665EF0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF665EF0754

Source: C:\Users\user\Desktop\0438.pdf.exe

Code function: 0_2_00007FF665ED51A4 GetVersionExW,

0_2_00007FF665ED51A4

Remote Access Functionality

Enables remote desktop connection

Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Windows Service	1 DLL Side-Loading	11 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 DLL Side-Loading	NTDS	65 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	122 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0438.pdf.exe	5%	ReversingLabs	Win64.Malware.Generic

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll	0%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe	3%	ReversingLabs
C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe	3%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe	5%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe	0%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe	5%	ReversingLabs
C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
http://x1.i.lencr.org/	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
x1.i.lencr.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://litemanager.com/1	ROMServer.exe, 0000000F.00000002.3606364288.000000000176C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3606716114.000000000297C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://litemanager.ru/	ROMFUSClient.exe, 00000007.00000000.1834516823.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1848189601.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Ukrainian.lg.3.dr, Russian.lg.3.dr	false		unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.5.dr	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.4.dr	false	URL Reputation: safe	unknown
https://litemanager.com/soft/pro/ROMServer.zip	ROMFUSClient.exe, 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.dr	false		unknown
http://litemanager.com/03	ROMFUSClient.exe, 00000010.00000002.3606716114.0000000002983000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.5.dr	false	URL Reputation: safe	unknown
https://litemanager.com/romversion.txt	ROMFUSClient.exe, 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.dr	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000005.00000003.1771637769.0000023FA58C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	false	URL Reputation: safe	unknown
http://litemanager.ru/forum/ru/memberlist.php?mode=viewprofile&u=977.	Ukrainian.lg.3.dr	false		unknown
http://ocsp.thawte.com0	0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	false	URL Reputation: safe	unknown
http://litemanager.ru/noip.txtU	ROMServer.exe, 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000005.00000002.3412122782.0000023FA5600000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.5.dr	false	URL Reputation: safe	unknown
http://litemanager.com/	5141a4.rbs.3.dr	false		unknown
http://litemanager.com/03w	ROMServer.exe, 0000000F.00000002.3606364288.0000000001773000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.LiteManagerTeam.com	5141a4.rbs.3.dr	false		unknown
http://www.indyproject.org/	ROMFUSClient.exe, 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMFUSClient.exe, 00000007.00000003.1853231064.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000009.00000003.1850203236.0000000002907000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000009.00000000.1843565844.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe, 0000000A.00000003.1864973686.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000003.1862661234.0000000002947000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000D.00000003.1902208763.0000000002887000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.1897803392.00000000027E7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000002.3606364288.00000000016D7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3606716114.00000000028E7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3606084225.00000000027B7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.3.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/cps0(	0438.pdf.exe, 00000000.00000003.1743995858.0000017916AD3000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1743995858.0000017916B11000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr	false	URL Reputation: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000005.00000003.1771637769.0000023FA58C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
111.90.140.76	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true
65.21.245.7	unknown	United States		199592	CP-ASDE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543801
Start date and time:	2024-10-28 13:40:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0438.pdf.exe renamed because original name is a hash value
Original Sample Name:	.pdf.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@37/79@1/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.88.176, 2.19.126.143, 2.19.126.149, 52.5.13.197, 52.202.204.11, 54.227.187.23, 23.22.254.206, 162.159.61.3, 172.64.41.3, 184.28.90.27, 93.184.221.240, 2.23.197.184, 88.221.168.141, 2.16.164.115, 2.16.164.75, 2.16.164.51, 2.16.164.83, 2.16.164.8, 2.16.164.112, 2.16.164.122, 2.16.164.91, 2.16.164.11, 23.218.232.159
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, wu.azureedge.net, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
Execution Graph export aborted for target ROMServer.exe, PID 7076 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 0438.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
08:42:36	API Interceptor	125536x Sleep call for process: ROMFUSClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
65.21.245.7	044f.pdf.scr	Get hash	malicious	RMSRemoteAdmin	Browse
	3e#U043c.scr	Get hash	malicious	RMSRemoteAdmin	Browse
	3e#U043c.scr	Get hash	malicious	RMSRemoteAdmin	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	b.cmd	Get hash	malicious	Unknown	Browse	101.99.92.203
	rrwzOU7A9F.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	3xlcP3DFLm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	JruZmEO5Dm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	zVlbADkNqu.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	vqUuq8t2Uc.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
	pXJ9iQvcQa.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
CP-ASDE	iQPxJrxxaj.exe	Get hash	malicious	PikaBot	Browse	65.20.66.218
	iQPxJrxxaj.exe	Get hash	malicious	PikaBot	Browse	65.20.66.218
	http://www.thegioimoicau.com/	Get hash	malicious	Unknown	Browse	65.21.45.74
	Bill Of Lading_MEDUVB935991.pdf.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	arm.elf	Get hash	malicious	Unknown	Browse	65.21.50.224
	P1 BOL.exe	Get hash	malicious	Unknown	Browse	65.21.196.90
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	65.21.196.90

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	25210
Entropy (8bit):	5.137987835164834
Encrypted:	false
SSDEEP:	384:8S75t8t+CqZ+oNbynfBytjj3IGdgdVOVv:8S1t8t+CqZ+oNbynfEtIG+jMv
MD5:	842DC8644AE8AD0B673659D501A14797
SHA1:	3F01957A39466DAFD196B6B08B3A4D8269980A08
SHA-256:	CF77BCDECFC6FE1BC7DD2A2E09939C27C44175FF403AF1B2183556D1FD94251A
SHA-512:	73C44641D726FE1E9E3C9F932F91EDE641A942998D6FF82D2721B4E91AD22F42C251A6936DD1B8DA2E8F4FCAACA252ADF1D4271501415086D190E300CD356C9C
Malicious:	false
Preview:	...@IXOS.@.....@;E\Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-B

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132032
Entropy (8bit):	6.10195829980833
Encrypted:	false
SSDEEP:	3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
MD5:	C40455A478E0B76521130D9DAAAADC4B
SHA1:	42DE923D5E36A9F56B002DD66DB245BC44480089
SHA-256:	308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
SHA-512:	76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
Category:	dropped
Size (bytes):	58679
Entropy (8bit):	4.738446173390891
Encrypted:	false
SSDEEP:	768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
MD5:	BAED4E7AF33F77350D454B69317EE63B
SHA1:	2B598774F0C73850A36117F29EA8DAC57BE1C138
SHA-256:	671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
SHA-512:	E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\\panose 02020603050405020304}Times New Roman{\\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	89220
Entropy (8bit):	3.469297258214741
Encrypted:	false
SSDEEP:	768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
MD5:	B1C96EF24061BF294CAC6C4C9CBF7757
SHA1:	5D1B1934091E257B5F1C69B13F5FC1E424348584
SHA-256:	20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
SHA-512:	6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	201728
Entropy (8bit):	6.3607488106285075
Encrypted:	false
SSDEEP:	3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
MD5:	1D4F8CFC7BBF374CCC3AAE6045B2133D
SHA1:	802EDF0B0ED1D0305BCD6688EE3301366FEC1337
SHA-256:	C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
SHA-512:	68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...\|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	61034
Entropy (8bit):	4.429529654892776
Encrypted:	false
SSDEEP:	768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
MD5:	7303B5AE0B8911CEB238DC01419695BE
SHA1:	22B89BDB8FAEC62BA3E66639E38E6271B593944A
SHA-256:	88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
SHA-512:	8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
Malicious:	false
Preview:	[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.\|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.\|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	58794
Entropy (8bit):	3.642324420313977
Encrypted:	false
SSDEEP:	768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
MD5:	606DC375E898D7221CCB7CEB8F7C686B
SHA1:	26DCF93876C89283623B8150C1B79EDB24B6A7EC
SHA-256:	F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
SHA-512:	9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
Category:	dropped
Size (bytes):	87912
Entropy (8bit):	4.303374267443204
Encrypted:	false
SSDEEP:	768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
MD5:	3FC082E8F516EAD9FC26AC01E737F9EF
SHA1:	3B67EBCE4400DDCF6B228E5668F3008561FB8F21
SHA-256:	3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
SHA-512:	9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6307408
Entropy (8bit):	6.5944937257467116
Encrypted:	false
SSDEEP:	98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
MD5:	63D0964168B927D00064AA684E79A300
SHA1:	B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
SHA-256:	33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
SHA-512:	894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7753808
Entropy (8bit):	6.615075046955521
Encrypted:	false
SSDEEP:	98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
MD5:	F3D74B072B9697CF64B0B8445FDC8128
SHA1:	8408DA5AF9F257D12A8B8C93914614E9E725F54C
SHA-256:	70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
SHA-512:	004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	999944
Entropy (8bit):	6.626732213066839
Encrypted:	false
SSDEEP:	12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
MD5:	ED32E23322D816C3FE2FC3D05972689E
SHA1:	5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
SHA-256:	7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
SHA-512:	E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	94772
Entropy (8bit):	4.284840986247552
Encrypted:	false
SSDEEP:	768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
MD5:	0E204FABE68B4B65ED5E0834651FB732
SHA1:	B338A6E54AA18F3F8A573580520F16C74A51F3D2
SHA-256:	302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
SHA-512:	AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
Malicious:	false
Preview:	..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7752272
Entropy (8bit):	6.615186281886958
Encrypted:	false
SSDEEP:	98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
MD5:	84FB34E529BEDE393A3F604EAA8137B2
SHA1:	195EA03B7BD086454A13C0D8357E0A9E447D9EC9
SHA-256:	1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
SHA-512:	A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.\|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11361360
Entropy (8bit):	6.496049600782297
Encrypted:	false
SSDEEP:	98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
MD5:	B0E355EC3453C8FFAEE08CD4257E96F2
SHA1:	0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
SHA-256:	60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
SHA-512:	B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3108007160208661
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrM:KooCEYhgYEL0In
MD5:	D8749336466819CDACA88D99BDB5379C
SHA1:	D93EF2E140B2ED46A253C1BDA206B8B2C91C9885
SHA-256:	EFDCE324AB90B9D681661311DCF3B5157E5BA9AEBDE27CE4269E899C992D33D6
SHA-512:	1D98987EDB99C5D618B20C4706C61B96F093E112BE77F23E3EC81958FC34E12C6C80DFA6BE9F9C0C86DA73F7D6C10A67CB5B379C3B7A5D5288AF67E49E616F80
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xad4b781c, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221961352421052
Encrypted:	false
SSDEEP:	1536:XSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Xazag03A2UrzJDO
MD5:	8977088B3FD9D574C915F8658EEBD674
SHA1:	558D6874578E36F08B4F3134C7D41932CC5C0BB0
SHA-256:	C9366D8C996A2BB0AD50ECCEAC0C036413084A10D97C9E0DD953734BE7612977
SHA-512:	01285B6615EB965C5D503C08402A1913375E1CEA274A23074012C45A48D9FC3F4D46FC8C48E20DFDFEBA94F49ABD504C7B0D00523F529A2E619A37A5364CE6B6
Malicious:	false
Preview:	.Kx.... .......Y.......X\...;...{......................n.%......,...\|..2)...\|..h.#......,...\|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................? .,...\|.....................9.,...\|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0788715398926901
Encrypted:	false
SSDEEP:	3:Y48SltOetYegmShvZ6lDSBAa6lYcolallOE/tlnl+/rTc:Y48SltrzxSY4keHApMP
MD5:	52B5EF3ECA4F8717DF7B3DFAC86F30B3
SHA1:	ADAD7B49FB9E0355FEA6ED3F75CE68D9E24515AA
SHA-256:	FA198DB15C7D8E1B13289C49838513C04081D6EE8C10033780A83B4BE258D613
SHA-512:	3CA170DB128EE400CC147B6C17AFC05536397E648F75D5712B5B6C21CB54277EECEB2BFFC9113B0195AE26274E793C494A34E71349FFF0CEE8ECB3BA3BCC3747
Malicious:	false
Preview:	. .Y.....................................;...{..2)...\|...,...\|...........,...\|...,...\|...1k..,...\|.....................9.,...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Mon Oct 28 11:41:56 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2167
Entropy (8bit):	3.898819567963484
Encrypted:	false
SSDEEP:	48:8c2xfvmObdO8ayo/AZd5Y+d5YsP5qoZkmrSUp8JWqoZkmtn:8cU0y839O5qoZbcJWqoZbt
MD5:	448E906F24834BBB05C573CA54C6BA64
SHA1:	7BE9E5C3936D6BC92FA91026493ED3B90E9ABD8A
SHA-256:	6CD744A0E84672F52C8B64DF3FC8630B9A4399727BBB7A0CF9B05F3CFB87BB65
SHA-512:	13C19CFA5A24BA0B3B61036CD87167E8C9A56ECA45148DE93C6D8E3DDC575799B7B6DC96B42647324A8B543F1605853B6437210F0C563C1402CACF0FCF4F3CBE
Malicious:	false
Preview:	L..................F.@.. .....>.....;J..6)....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....\Y;e..PROGRA~2.........O.I\Y;e....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....\Y<e..LITEMA~1..b......\Y;e\Y=e..............................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.\Y<e..............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k...........[........C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1890
Entropy (8bit):	3.1573107695942624
Encrypted:	false
SSDEEP:	48:8ddOEPLqd5Y+d5YcCP5q2DT2S0Wq2DTKX7:85LJ9cM5qUoWqUE
MD5:	5FC67E19699B3F0B2AB7B4B89B0B3F1A
SHA1:	6F6380DF2EB8C5D30452A846864F001A8B0E473A
SHA-256:	45451F933B472FA53301D46B7C072AF67E51EC60172E6E9C01E0B308DF78A2F4
SHA-512:	81C7A9F5683DB54893BD26A6EC1BCBDB17983037668CD996E03934E7708331594195DBF2CCE9EB2B0C0567A9E8B24DD629D40866D49E55C9DF77A864D15744E5
Malicious:	false
Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..b............................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.h.2...........ROMServer.exe.L............................................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\In

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Mon Oct 28 11:41:55 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
Category:	dropped
Size (bytes):	2159
Entropy (8bit):	3.8882393509083983
Encrypted:	false
SSDEEP:	48:882xfvmObdO8aLo/AZd5Y+d5Ys5qcxFWT84SslWqcxFWT8cn:88U0L839s5qcxYT8SWqcxYT8c
MD5:	77A8F30AC33B6C8D09D9CC894DCF0017
SHA1:	4E076BFF777C9F3F53D2F139EF8AD6F6A24CCB5B
SHA-256:	D983900CFDBB252F3927A02899AD58C4A4E8A24BE7F92BC3E4C0F4E8DF2D4519
SHA-512:	B6BABB61F13D503EF722ED6C67FD9B75C8F057A4B01545C355C4A62FE78A76FDC9268C834B672BAC4F6CA7F3F77E00085AD6C13BEE16C54B938D7A56F81D0E57
Malicious:	false
Preview:	L..................F.@.. .....>.....Q#..6)....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....\Y;e..PROGRA~2.........O.I\Y;e....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....\Y<e..LITEMA~1..b......\Y;e\Y<e............................].L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.\Y<e..............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k...........[........C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Wed Oct 4 09:56:56 2023, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
Category:	dropped
Size (bytes):	1953
Entropy (8bit):	3.867551442081923
Encrypted:	false
SSDEEP:	48:8Wn0lFWub0ZfHOn5qmjlt6ScWqmjltZwnt:8w0l/amn5qmjlmWqmjl
MD5:	8F76AA97C80932A3167E7E188EE8FEDE
SHA1:	391E7C47186585B2FF6B7BC10BD917F3EF4C3152
SHA-256:	60A6C016964660A48391804B1F8597ADAE0399396501DF720377E63EE4523547
SHA-512:	987D9D57472C87910B531E6730CD6E02F85A806DB141DD1BB99078262EEC7CD26D769A8C96640208A7FD23E62C2EEDB5870796ADD828DAC7B82B21547B90AEE2
Malicious:	false
Preview:	L..................F.@.. ...25.....1>.~....25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWR`..Windows.@......OwH\Y7e....3.........................W.i.n.d.o.w.s.....Z.1.....\Y4e..SysWOW64..B......O.I\Y7e....Y.......................$.S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBIDW.V................\|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M...........[........C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C6

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.182622480217121
Encrypted:	false
SSDEEP:	6:yMN+q2Pwkn2nKuAl9OmbnIFUt8hzKXZmw+hNd3VkwOwkn2nKuAl9OmbjLJ:VIvYfHAahFUt816/+j5JfHAaSJ
MD5:	DF3C88F714C13719B0DEF255FBDC093B
SHA1:	51D6AB81DB20B45FAC239DAAC24D574E2A5D0240
SHA-256:	2AF9E1BD1B574B2F9EFB38A0B5DC5C944F3F21CAD2234669DABB81F2F464EDE5
SHA-512:	3B63F1609D1FB4AD8AC058D2510EBC24F5C1E9529462772273388A94BA5EDFE5FD3066A6B91A9D229FC981F020BFF2FD24526D105647539C26926CC56A590E4B
Malicious:	false
Preview:	2024/10/28-08:41:50.426 cc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/28-08:41:50.428 cc8 Recovering log #3.2024/10/28-08:41:50.429 cc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.182622480217121
Encrypted:	false
SSDEEP:	6:yMN+q2Pwkn2nKuAl9OmbnIFUt8hzKXZmw+hNd3VkwOwkn2nKuAl9OmbjLJ:VIvYfHAahFUt816/+j5JfHAaSJ
MD5:	DF3C88F714C13719B0DEF255FBDC093B
SHA1:	51D6AB81DB20B45FAC239DAAC24D574E2A5D0240
SHA-256:	2AF9E1BD1B574B2F9EFB38A0B5DC5C944F3F21CAD2234669DABB81F2F464EDE5
SHA-512:	3B63F1609D1FB4AD8AC058D2510EBC24F5C1E9529462772273388A94BA5EDFE5FD3066A6B91A9D229FC981F020BFF2FD24526D105647539C26926CC56A590E4B
Malicious:	false
Preview:	2024/10/28-08:41:50.426 cc8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/28-08:41:50.428 cc8 Recovering log #3.2024/10/28-08:41:50.429 cc8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.162881725866635
Encrypted:	false
SSDEEP:	6:yWR4q2Pwkn2nKuAl9Ombzo2jMGIFUt8hURJZmw+h1DkwOwkn2nKuAl9Ombzo2jM4:xR4vYfHAa8uFUt86J/+bD5JfHAa8RJ
MD5:	DB682BF6ACDB5886D773BC12C9969068
SHA1:	FA0F09F94B2B11AC051DAA16E325F30514BC0970
SHA-256:	BD4C36A25AAEB72B2C15E254AA2B3C8517E1BA1D736E85B9EB0BD52C12F56AAC
SHA-512:	39FD461C60E4909E26B5749988226A7B9CBFC76BF8D5689AB9F846644E365B72B79984E5069DA27EBBADDA4928FF8A5CE577403F34ADBC018B88DF1FA1FA953A
Malicious:	false
Preview:	2024/10/28-08:41:50.471 1c20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/28-08:41:50.473 1c20 Recovering log #3.2024/10/28-08:41:50.474 1c20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.162881725866635
Encrypted:	false
SSDEEP:	6:yWR4q2Pwkn2nKuAl9Ombzo2jMGIFUt8hURJZmw+h1DkwOwkn2nKuAl9Ombzo2jM4:xR4vYfHAa8uFUt86J/+bD5JfHAa8RJ
MD5:	DB682BF6ACDB5886D773BC12C9969068
SHA1:	FA0F09F94B2B11AC051DAA16E325F30514BC0970
SHA-256:	BD4C36A25AAEB72B2C15E254AA2B3C8517E1BA1D736E85B9EB0BD52C12F56AAC
SHA-512:	39FD461C60E4909E26B5749988226A7B9CBFC76BF8D5689AB9F846644E365B72B79984E5069DA27EBBADDA4928FF8A5CE577403F34ADBC018B88DF1FA1FA953A
Malicious:	false
Preview:	2024/10/28-08:41:50.471 1c20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/28-08:41:50.473 1c20 Recovering log #3.2024/10/28-08:41:50.474 1c20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.966073469579267
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqsNRHxsBdOg2HlItAcaq3QYiubInP7E4T3y:Y2sRdsBRHidMH+J3QYhbG7nby
MD5:	4008866189CC80D8D01B7405BF9ADFD8
SHA1:	BA518FF75585D079A4DFD550A5BCB433EE276E10
SHA-256:	CE330C613D63C3D22C93ACCF695B7C9AC9FE44922D7688C4B33F8A30303A21B4
SHA-512:	6C6746B737ED0DDA6A99D69952D7155FE998007D8B6AACF4CE7699C3DAE4C0EE4E79BCFB8C697901FA42D6B984DAD8AD0E95256D987279895FE7BAD4F3FD2E74
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13374679316345408","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":246135},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d7ce3dde-793c-445f-b1fd-259066d9cd47.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.966073469579267
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqsNRHxsBdOg2HlItAcaq3QYiubInP7E4T3y:Y2sRdsBRHidMH+J3QYhbG7nby
MD5:	4008866189CC80D8D01B7405BF9ADFD8
SHA1:	BA518FF75585D079A4DFD550A5BCB433EE276E10
SHA-256:	CE330C613D63C3D22C93ACCF695B7C9AC9FE44922D7688C4B33F8A30303A21B4
SHA-512:	6C6746B737ED0DDA6A99D69952D7155FE998007D8B6AACF4CE7699C3DAE4C0EE4E79BCFB8C697901FA42D6B984DAD8AD0E95256D987279895FE7BAD4F3FD2E74
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13374679316345408","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":246135},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.256633690978405
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7PQ62:etJCV4FiN/jTN/2r8Mta02fEhgO73goU
MD5:	E5D36F4BFA1D9BCBA12DBB5F1025B182
SHA1:	15FF7D5C4CC363AA51B036F4BC2DA2806C34D3B2
SHA-256:	3E38E9E58409BF438ED3D393663FCDD517688D66343E6CC29FF359C5362CF6A4
SHA-512:	0E828B375D7BC5AC719668DA188284319D3E7BAA1E54F2EDEDC450E07FCC139AD2EE0B29BC7446904E602C01703537C8FAF68D57D5ED40F5A52230E6B015035B
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.16042718979107
Encrypted:	false
SSDEEP:	6:yu34q2Pwkn2nKuAl9OmbzNMxIFUt8hXJZmw+hXDkwOwkn2nKuAl9OmbzNMFLJ:h34vYfHAa8jFUt8xJ/+xD5JfHAa84J
MD5:	E4E14B8C23F28ADE7625601ECD3C490A
SHA1:	493F433C822F8C954002CF6471D62A3B97D62979
SHA-256:	5941ECC00CAFF7A694D52BDB314013131140DBA3098E4C56668F03A588A048DF
SHA-512:	DA63F3DBD600F45844E04AB64C6103DDFADE8FB6FE7F2F50FAE97A3136658134700E80A9F62FF965C24CBA96620D8B3FCD3DC4BB765F7271E990AAD69CE65DE2
Malicious:	false
Preview:	2024/10/28-08:41:50.590 1c20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/28-08:41:50.591 1c20 Recovering log #3.2024/10/28-08:41:50.591 1c20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.16042718979107
Encrypted:	false
SSDEEP:	6:yu34q2Pwkn2nKuAl9OmbzNMxIFUt8hXJZmw+hXDkwOwkn2nKuAl9OmbzNMFLJ:h34vYfHAa8jFUt8xJ/+xD5JfHAa84J
MD5:	E4E14B8C23F28ADE7625601ECD3C490A
SHA1:	493F433C822F8C954002CF6471D62A3B97D62979
SHA-256:	5941ECC00CAFF7A694D52BDB314013131140DBA3098E4C56668F03A588A048DF
SHA-512:	DA63F3DBD600F45844E04AB64C6103DDFADE8FB6FE7F2F50FAE97A3136658134700E80A9F62FF965C24CBA96620D8B3FCD3DC4BB765F7271E990AAD69CE65DE2
Malicious:	false
Preview:	2024/10/28-08:41:50.590 1c20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/28-08:41:50.591 1c20 Recovering log #3.2024/10/28-08:41:50.591 1c20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 16, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 16
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.445218650180628
Encrypted:	false
SSDEEP:	384:Cexci5tIiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:dvs3OazzU89UTTgUL
MD5:	A6C1E3D40F6344FF8F1EABAEF782E9EE
SHA1:	49FE33D0451205898B07A5AD60ECDDED87CFBEAD
SHA-256:	6FCD10FAD2F1F7684A0E405B64AB10E12AFF66F148938605044F968E52588290
SHA-512:	A6C21AF2E6446CFA9CE0B9D4356ECF37343F4EE71404B43A866B3FEBE016A6D77E7BD04129AAF13D919164C66DD2E67E708A821FBBA83182B23FE512B64CD420
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	2.2083438934116018
Encrypted:	false
SSDEEP:	24:7+tKmnuwKXqL7zkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf9Mj:7MnnCXq/mFTIF3XmHjBoGGR+jMz+LhL6
MD5:	BF19276D1DD9A8BBAFE780DE9408FA68
SHA1:	5B7AC45EFBA2FC871AACF74963AEF9A2C27ED5AC
SHA-256:	1DAC5FD8B290EE83B5AD33B3425145CC509E2FBA75EBA695DDEBA9A3BAB6215B
SHA-512:	E85DFCA190881BEEDF1E06CF67BDE34F62FE926A15E94B290810638E63D7F6C4C80A0313CBD1256AC6F3D675E3C015F50EF0575848FE42CBBD89B1A15AD06C7D
Malicious:	false
Preview:	.... .c.....to.i........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7485180290352824
Encrypted:	false
SSDEEP:	3:kkFkl4LPpttfllXlE/HT8kN7vNNX8RolJuRdxLlGB9lQRYwpDdt:kKhLPDeT867VNMa8RdWBwRd
MD5:	40AAD61336A2C3AC131DBAB6B7EA6FDC
SHA1:	998F904E221E30237E00BFC8F4C26B45F8F9D152
SHA-256:	EA94B0CBAF212DD481F7E3D49945E51C1F231F3C752DC1B86B0DE13B27F57310
SHA-512:	8F1B05B33DC65A95598675D49D735EF703C2BF6320D7119BA5F08B4F1461A138D2089545E2B5DD28C1B5E75B55C7F5C1F75CC25E72B036D9B47707F58298F429
Malicious:	false
Preview:	p...... ........K...6)..(....................................................... ..........W....j...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.150184159866505
Encrypted:	false
SSDEEP:	6:kK+DL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:GDiDnLNkPlE99SNxAhUe/3
MD5:	BA34A710DC79BE3958B7BD3EB877623A
SHA1:	D1FB8B088EE576905AADAB688D96C0F517DA4D8F
SHA-256:	ADA9A7F4A1637DEB5055B55BEBC7DEB68D4DDD8ECF930C1AC7AF10B1E13D8C16
SHA-512:	76113D4287F5627D24FD607900C5E75EB7A7F6F9BDD267C5D0B521E20C8372B6787978549FA8B8C894B3534D4C7EE788588A0B912D7BA76B001186C57DBDD6BD
Malicious:	false
Preview:	p...... ............6)..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5012

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2145
Entropy (8bit):	5.0662198120036965
Encrypted:	false
SSDEEP:	48:Y12sL0/EY0bMSlMtCM5mMOpiMAW0MretMSMmkaMY:Jv/SYtt55V6AWLre6JmkhY
MD5:	C513BE3FF585771CDC3BA1965F89DD37
SHA1:	CDCA888D9A8EC2407436CF3D95BE432977C0139A
SHA-256:	E2585240A8D91E209E547A413703419C2E6DCA1F1AD0B25DA47A39A2826413F2
SHA-512:	F3FFDDFECB3A6FA9466F05EA1FDB3112F712CB0B49203952DD1E54B3248648F3E8D04A4FDCDA9528D4EDFF85CE55E366268901876382888D5B81F9A5DBAB795C
Malicious:	false
Preview:	{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1730119313000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"23c88c8acf166d9fda5ae4d83df3db72","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696420889000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"d5fa85f4cf271b5fa75367efd1b392fa","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696420884000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"7c2ad79e375e3ea39f82a389e8a5841f","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696420882000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"c3af48ba3dee086edbbf20dff46c7ee0","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696333862000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"7101e009d8bf8920d0a3dd3f5dc75ebc","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696333862000},{"id":"DC_Reader_Edit_LHP_Banner"

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1871285333041803
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUU02SvR9H9vxFGiDIAEkGVvpww:lNVmswUUUUUUUU02+FGSIt0w
MD5:	FF8F8E56A90722A5142362963C34F999
SHA1:	707197912AC05661C1054D73A3316A6EF5527271
SHA-256:	72B4E94215F669334819179F97501A54AAFF77F88C8CE77E030185148ECA3599
SHA-512:	0795D5D0AC813A2F6CB57A428F16C1478B9D94970BB45B1354402B3FA874C15153D3E150A16AA38602FAFACE80B01C69E9B9D1E1A9BCB84961B47F98E019FBA1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6061725053394198
Encrypted:	false
SSDEEP:	48:7M4KUUUUUUUUUU0UvR9H9vxFGiDIAEkGVvkqFl2GL7msl:7sUUUUUUUUUU0EFGSItWKVmsl
MD5:	79D72CD66C20DF58AE6DFB96F03A0A76
SHA1:	16AAB5B93A738C100BBAB73B90B70341FBF92BCB
SHA-256:	84342EE3009AEDAEA91465A741DFE18C9CFC22E89F44B7C72ABBBA932BD2178D
SHA-512:	13321C6367601EAFB68D216473C48392EF2B23A57C1090A533E3D34FE1C22863E979C4728BD5058FC47CBBCC59C5E794BAFBD86022EDBBA9056DFDB14CDD91C4
Malicious:	false
Preview:	.... .c.......0.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Doc.pdf

Download File

Process:	C:\Users\user\Desktop\0438.pdf.exe
File Type:	PDF document, version 1.7, 1 pages (zip deflate encoded)
Category:	dropped
Size (bytes):	125552
Entropy (8bit):	7.579988719622451
Encrypted:	false
SSDEEP:	1536:N0N5xSlECZcbZ42IlWpy67H/AvLpMpBXCF4KMvX6UkMZdEMLHMgifPdEoLIeLA+6:CNPSiJZ4xy8DlivXREMBOlEoMeLjCiQ
MD5:	7827620BA2CD12D54B41C006BA4D686C
SHA1:	F6B40CB23006AD0E1AFD4C08CA943A75258FAB34
SHA-256:	9DAA46F8D84B0E65E2D5FDF7FCD80FF6CA922278C32A2B5C9425C0C5EF7D2096
SHA-512:	9782FB4DBA6F62A589BF213AE5CCE3F66514319363F499B584DC854ACC1DCD94221102BDDAC982AA9DB36C5B7696BD1ABACF7C15771CDECC317B2F3421CCA321
Malicious:	false
Preview:	%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 11 0 R/MarkInfo<</Marked true>>/Metadata 22 0 R/ViewerPreferences 23 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image9 9 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 188>>..stream..x.E.K..@.......R..!.4 .\|$FB.."ZH.+............x.h..!/."..f....X.Q.8M.D0aGK..+.J{x.....(.kJ.FBJ&\|.7J...H..f..%..Nory..M'...m9%g.......4.(AV&............2...H..B...Z..o.V#.c.....6k..endstream..endobj..5 0 obj..<</Type/Font/Subtype/TrueType/Name/F1/BaseFont/BCDEEE+Calibri/Encoding/WinAnsiEncoding/FontDescriptor 6 0 R/FirstChar 32/LastChar 32/Widths 20 0 R>>..endobj..6 0 obj..<</Type/FontDescriptor/FontName/BCDEEE+Calibri/Flags 3

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91vigrvg_14z50oy_3v8.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-28 08-41-52-428.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.343438421198478
Encrypted:	false
SSDEEP:	384:sT/O6+HiPD4AZbeS0+c68SX6SxGy+3LKR+FxHj3k1qF8GovFd53tMLMdUBrGm7jL:mLa
MD5:	3BEF3B4396AE411BAC3AA5C998A63902
SHA1:	F9E20DE34ACE206339F41E2EC396818FE3F0EDD4
SHA-256:	DDA53BC32E47F402F4F8E8A1BF102E77649360B45A4B88352EF29D829FE27EDF
SHA-512:	82DECB69BDDE4E120937748E0A4C0726BBDAB7DC7E5C31743193126D53C7EAEFAE3BF2DCB488EF13064F89404B1BFDD6033D9B20960480F736F0593E95831315
Malicious:	false
Preview:	SessionID=f1b85d4c-1bd5-4454-bb04-bd7f94ce0be9.1730119312439 Timestamp=2024-10-28T08:41:52:439-0400 ThreadID=7624 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=f1b85d4c-1bd5-4454-bb04-bd7f94ce0be9.1730119312439 Timestamp=2024-10-28T08:41:52:458-0400 ThreadID=7624 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=f1b85d4c-1bd5-4454-bb04-bd7f94ce0be9.1730119312439 Timestamp=2024-10-28T08:41:52:458-0400 ThreadID=7624 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=f1b85d4c-1bd5-4454-bb04-bd7f94ce0be9.1730119312439 Timestamp=2024-10-28T08:41:52:458-0400 ThreadID=7624 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=f1b85d4c-1bd5-4454-bb04-bd7f94ce0be9.1730119312439 Timestamp=2024-10-28T08:41:52:459-0400 ThreadID=7624 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.388218891859777
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rk:w
MD5:	79BDFFD03E064B88A6271A859BBAD214
SHA1:	706E3FEA7BCD81A700686F9090B7C4DE119B0FAD
SHA-256:	96B624CA937A026C38CB7E16CF118ACFF98449F0DFF291F4845D015B202A03D3
SHA-512:	099CE03E95EEFA0AAAE54C0497B995BC9D585810582B328F9DD5D7990B717E4F5123ADB19E210E129E1413FD94774C9A088F40270ABB3A5012012EFDCCB17C43
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\492c0f09-8a3a-43fa-9f8d-1ca7cae20b7a.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZjZwYIGNPJe:RB3mlind9i4ufFXpAXkrfUs03WLaGZje
MD5:	716C2C392DCD15C95BBD760EEBABFCD0
SHA1:	4B4CE9C6AED6A7F809236B2DAFA9987CA886E603
SHA-256:	DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
SHA-512:	E164702386F24FF72111A53DA48DC57866D10DAE50A21D4737B5687E149FF9D673729C5D2F2B8DA9EB76A2E5727A2AFCFA5DE6CC0EEEF7D6EBADE784385460AF
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\57f7a811-889f-4f4c-abdd-7bfc3c3749d5.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\797dc53c-8d9d-46f6-9c98-0ca46989d0d3.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\b0e76b93-9665-458d-a905-3c9f3551596b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
MD5:	95F182500FC92778102336D2D5AADCC8
SHA1:	BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
SHA-256:	9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
SHA-512:	D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\pdf.msi

Download File

Process:	C:\Users\user\Desktop\0438.pdf.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11554816
Entropy (8bit):	7.9382387394429115
Encrypted:	false
SSDEEP:	196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	0C88F651EEA7EBD95DF08F6A492FCB38
SHA1:	93E622BB18056BB61DD11805D91AB1F9267CBD67
SHA-256:	A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
SHA-512:	41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	98682
Entropy (8bit):	6.445287254681573
Encrypted:	false
SSDEEP:	1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
MD5:	7113425405A05E110DC458BBF93F608A
SHA1:	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
SHA-256:	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
SHA-512:	6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
Malicious:	false
Preview:	0...u0...\...0....H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...\|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	737
Entropy (8bit):	7.501268097735403
Encrypted:	false
SSDEEP:	12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
MD5:	5274D23C3AB7C3D5A4F3F86D4249A545
SHA1:	8A3778F5083169B281B610F2036E79AEA3020192
SHA-256:	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
SHA-512:	FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
Malicious:	false
Preview:	0...0.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0....H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R.......~....)....i.n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

C:\Windows\Installer\5141a2.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11554816
Entropy (8bit):	7.9382387394429115
Encrypted:	false
SSDEEP:	196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	0C88F651EEA7EBD95DF08F6A492FCB38
SHA1:	93E622BB18056BB61DD11805D91AB1F9267CBD67
SHA-256:	A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
SHA-512:	41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\5141a5.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
Category:	dropped
Size (bytes):	11554816
Entropy (8bit):	7.9382387394429115
Encrypted:	false
SSDEEP:	196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
MD5:	0C88F651EEA7EBD95DF08F6A492FCB38
SHA1:	93E622BB18056BB61DD11805D91AB1F9267CBD67
SHA-256:	A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
SHA-512:	41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
Malicious:	false
Preview:	......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...).........+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI46B3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	294216
Entropy (8bit):	4.850874479817921
Encrypted:	false
SSDEEP:	3072:yAoy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+oNbynfm:yAoy25DXmNDXLDXX+oNbynfm
MD5:	76A016F2C6F54EA70B2F4C87818724B4
SHA1:	4BE9E65E3A531C529230DECB412AD48E1060F842
SHA-256:	7F0F87F31BFE161CCB0C3654E6D98FE6C790E96879DD4558F142F2D4DE154979
SHA-512:	4A626D65D4D74EEAC60E5FA886C484797B7EB39ECF9D8106E4BB7FD487B53BA7B1E26BB38702623D75576FC00F4BDE3C1C19E8972886104FFB36478290BE2359
Malicious:	false
Preview:	...@IXOS.@.....@:E\Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49

C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1622461780365712
Encrypted:	false
SSDEEP:	12:JSbX72Fj6eAGiLIlHVRpqh/7777777777777777777777777vDHFGpZl0i8Q:JfQI56dF
MD5:	B8C231DAE3C1425390652975B255320A
SHA1:	64F075E2C45AE33542D8832C59E4E263E59C213D
SHA-256:	77B1314CA82B2B5DB43FCC2EC067A315F8E6B3BD36B89071F02B165D97F46969
SHA-512:	03CAAC1B84335DAD00C9C76C2C20636696E595B874DF0EC2CC3C7CB861953F3DB304CA9EE8378789E825516736912D01C8C0BB325EAE5ECDD429CE18AD50F703
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7846940447898487
Encrypted:	false
SSDEEP:	48:oV8Ph+uRc06WXJMjT53X9gBd9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y1o9ISB22:/h+1vjTEB+m0WlfPuPqC0WlfIF/
MD5:	CA4859F4EC68FE57D7033C82A852BE54
SHA1:	06F015F8E84A24EC929E526BED16A18C36AFAFA1
SHA-256:	B678F28A277B9D36938BCF9BCB9421143DF494D5AB262B34EDD5DD24CF984FEF
SHA-512:	4BED66AA13BEEFCF779805D2F22F5C85B4DCDCC75A4615F4E4F52C76ED7ADCCCCFDDA83C034333ADF353B255E34FB97C081409F1286B39A32EAF2FD5677C88C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.351781833522881
Encrypted:	false
SSDEEP:	384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
MD5:	CA680899D9330BEB85E6351E6DC0D27B
SHA1:	41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
SHA-256:	EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
SHA-512:	3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.31126714354722
Encrypted:	false
SSDEEP:	384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
MD5:	6A4AFFF2CD33613166B37A0DAB99BD41
SHA1:	FBC0F1696213B459D099A5809D79CFC01253880F
SHA-256:	53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
SHA-512:	7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.774504587732323
Encrypted:	false
SSDEEP:	768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
MD5:	5EBCB54B76FBE24FFF9D3BD74E274234
SHA1:	6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
SHA-256:	504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
SHA-512:	5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375180556756989
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauy:zTtbmkExhMJCIpErr
MD5:	F7B47ED5B5A89CFF3162788AA8D26966
SHA1:	740FD8B56196C652A4C6BC7D8637AC65A548698A
SHA-256:	51E46FC7FAC5D8BDBD925D59B4E0174AF8F2404444F44823EEE8D5C03DD0298B
SHA-512:	EB68DEE35A259777397651147B04DD361942B78D949C9DF0CB671086C0B894F909A8F00CBF8C0887126E66E4C69ABC18DD18C964B593C1A51BA94C40442EC337
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Temp\~DF002653AB16852DA4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF10A3046CAD937956.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4141545401105469
Encrypted:	false
SSDEEP:	48:SlWuDI+CFXJnT55qQX9gBd9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y1o9ISB29l2:eWl/T3MB+m0WlfPuPqC0WlfIF/
MD5:	354BDF18CA8D055AEF723CC6ED7EA742
SHA1:	9EEF86B1939DEE60F6F6F013EB1172CDCC32ED30
SHA-256:	2E4A59658A25FD45D6BB3E53577577900552EE2E4136F514FCF2450B101C77A9
SHA-512:	9E6EFD34AFFBF6DE452534237B6A444FD6AD943E536383CB2733A38A643442F3AB443A800F6753F0258539590048A2FAC5F3A324647490989AF1FA234BDC0381
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF59AC83B68DF38478.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C463A8EEE0219F7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4141545401105469
Encrypted:	false
SSDEEP:	48:SlWuDI+CFXJnT55qQX9gBd9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y1o9ISB29l2:eWl/T3MB+m0WlfPuPqC0WlfIF/
MD5:	354BDF18CA8D055AEF723CC6ED7EA742
SHA1:	9EEF86B1939DEE60F6F6F013EB1172CDCC32ED30
SHA-256:	2E4A59658A25FD45D6BB3E53577577900552EE2E4136F514FCF2450B101C77A9
SHA-512:	9E6EFD34AFFBF6DE452534237B6A444FD6AD943E536383CB2733A38A643442F3AB443A800F6753F0258539590048A2FAC5F3A324647490989AF1FA234BDC0381
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5EA766661F889766.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8DBBE726ED9D372F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC4C39A2E036B89CE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC5FC10B570FAF6E4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06823846717123914
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOYYbmc6Vky6lZ:2F0i8n0itFzDHFTZ
MD5:	43121AF9C0468049B811D5DE9EE986C6
SHA1:	3D65F87A3C467D0DE2BF8F07A60621B947A9CE4C
SHA-256:	592C5B6D2ADD44B5EFCE1D5A353279925147188A1C15B56B1189E89FE97374E0
SHA-512:	0B09D5648F1374083996F24FF71AE87B22F152D907C91B84567CA27B985F05C447AF27527A3E760F44817300DB8680F73F5D86A36B9DC157AA3E6C5BB6BC6831
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD638D28FFD522993.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.22085979916430115
Encrypted:	false
SSDEEP:	48:PHwmFSB29lOd5YpRXd5YNd5YGd5YMd5Yu9mSvOd5YpRXd5YNd5YGd5YMd5YP6Adu:PH5FqC0WlfVm0WlfPu4B
MD5:	0257BC64C1D8894C45B02617960A5299
SHA1:	2AAD9C93AF67112974E179B26DB9148FA1BF8C8D
SHA-256:	DA121E441DC8C2F3FBD07C7665317337619E4FA6F4C8FFE3D9AB519695FC4C45
SHA-512:	BCB67D0426954AD2CC9E66979B7CC5F515F5BBC43EE3EFF5496569162496BAF87DDA25E5DFD24EFFA2313E84928626E7C546F2CF48E2340310AFDB4FB1D3D6AE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE1A915BFE0900EA5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4141545401105469
Encrypted:	false
SSDEEP:	48:SlWuDI+CFXJnT55qQX9gBd9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y1o9ISB29l2:eWl/T3MB+m0WlfPuPqC0WlfIF/
MD5:	354BDF18CA8D055AEF723CC6ED7EA742
SHA1:	9EEF86B1939DEE60F6F6F013EB1172CDCC32ED30
SHA-256:	2E4A59658A25FD45D6BB3E53577577900552EE2E4136F514FCF2450B101C77A9
SHA-512:	9E6EFD34AFFBF6DE452534237B6A444FD6AD943E536383CB2733A38A643442F3AB443A800F6753F0258539590048A2FAC5F3A324647490989AF1FA234BDC0381
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEF4855E327D2B6F2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7846940447898487
Encrypted:	false
SSDEEP:	48:oV8Ph+uRc06WXJMjT53X9gBd9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y1o9ISB22:/h+1vjTEB+m0WlfPuPqC0WlfIF/
MD5:	CA4859F4EC68FE57D7033C82A852BE54
SHA1:	06F015F8E84A24EC929E526BED16A18C36AFAFA1
SHA-256:	B678F28A277B9D36938BCF9BCB9421143DF494D5AB262B34EDD5DD24CF984FEF
SHA-512:	4BED66AA13BEEFCF779805D2F22F5C85B4DCDCC75A4615F4E4F52C76ED7ADCCCCFDDA83C034333ADF353B255E34FB97C081409F1286B39A32EAF2FD5677C88C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF94390AD8DFAD0F6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7846940447898487
Encrypted:	false
SSDEEP:	48:oV8Ph+uRc06WXJMjT53X9gBd9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5Y1o9ISB22:/h+1vjTEB+m0WlfPuPqC0WlfIF/
MD5:	CA4859F4EC68FE57D7033C82A852BE54
SHA1:	06F015F8E84A24EC929E526BED16A18C36AFAFA1
SHA-256:	B678F28A277B9D36938BCF9BCB9421143DF494D5AB262B34EDD5DD24CF984FEF
SHA-512:	4BED66AA13BEEFCF779805D2F22F5C85B4DCDCC75A4615F4E4F52C76ED7ADCCCCFDDA83C034333ADF353B255E34FB97C081409F1286B39A32EAF2FD5677C88C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9367051756500695
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0438.pdf.exe
File size:	11'654'747 bytes
MD5:	2d11dba46735af1cb1c0a42e9564e20d
SHA1:	b2e17960c6d080f7aba7df87f57c08b4bc2e7051
SHA256:	e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
SHA512:	f053c18333c256c87492e7e74832f2ba695c1633cc80d59e4d426eda82d27d7402a22803e439bb2453f4fa12f00697de355edd61c300b7624c66723d7e54dad0
SSDEEP:	196608:tqwvI8YbsGBCEfbi57P6mCRTMFCxZ9zzvHLbax3QS+hbEPjwDhZzczDlUxMUd:ZIRwGjfbi5DCRoOPzzvfaEAPgOHm5d
TLSH:	42C6331BFF5D04EAF1AF99F899415022D7B57CC51720868F23B43E4AED736A1AA35302
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	3570b080889388e1

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FDB104E78F8h
dec eax
add esp, 28h
jmp 00007FDB104E728Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FDB104E6713h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007FDB104E7423h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007FDB104E9437h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FDB104D5CA3h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FDB104E84F2h
int3
jmp 00007FDB104EE6D4h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x5f334	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x5f334	0x5f400	ac83509a9abddcfebcee4527be350f1a	False	0.06483503526902887	data	2.1781366278912278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x7118c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72738	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m			0.023615261709619195
RT_ICON	0xb4760	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m			0.3191489361702128
RT_ICON	0xb4bc8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m			0.11867219917012448
RT_ICON	0xb7170	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m			0.17284240150093808
RT_ICON	0xb8218	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m			0.04436294806577547
RT_ICON	0xc8a40	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m			0.08644307982994803
RT_DIALOG	0xccc68	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0xccef0	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0xcd02c	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0xcd118	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0xcd248	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0xcd580	0x252	data	English	United States	0.5757575757575758
RT_STRING	0xcd7d4	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0xcd9b8	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0xcdb84	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0xcdd3c	0x146	data	English	United States	0.5153374233128835
RT_STRING	0xcde84	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0xce2f0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0xce458	0x152	data	English	United States	0.5059171597633136
RT_STRING	0xce5ac	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0xce6b8	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0xce774	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0xce934	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0xceb84	0x5a	data			0.7555555555555555
RT_MANIFEST	0xcebe0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 13:43:02.892199993 CET	49871	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.897785902 CET	5651	49871	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:02.897866011 CET	49871	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.907253027 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.912683964 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:02.912760019 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.923137903 CET	49873	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.928739071 CET	80	49873	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:02.928817987 CET	49873	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.939030886 CET	49874	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.944648027 CET	465	49874	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:02.944725037 CET	49874	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:02.958770990 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:02.967008114 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:02.967078924 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.001534939 CET	49876	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.007056952 CET	5555	49876	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.007133007 CET	49876	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.031779051 CET	49871	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.031779051 CET	49871	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.039402008 CET	5651	49871	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.039419889 CET	5651	49871	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.045706987 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.045742035 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.053215981 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.053231955 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.061367989 CET	49873	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.061419964 CET	49873	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.066819906 CET	80	49873	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.066837072 CET	80	49873	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.076911926 CET	49874	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.076944113 CET	49874	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.082385063 CET	465	49874	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.082402945 CET	465	49874	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.092282057 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.092322111 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.097739935 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.097768068 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.123579025 CET	49876	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.123630047 CET	49876	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.129085064 CET	5555	49876	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.129097939 CET	5555	49876	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.598997116 CET	5651	49871	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.599271059 CET	49871	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.599272013 CET	49871	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.604805946 CET	5651	49871	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.623183012 CET	80	49873	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.623838902 CET	49873	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.624069929 CET	49873	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.629524946 CET	80	49873	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.858572006 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.858771086 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.858829021 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.858829021 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.858829021 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.858861923 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.864520073 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.864533901 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.864566088 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.864578962 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.865679979 CET	80	49875	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:03.865742922 CET	49875	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:03.944004059 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.944142103 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.944142103 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.944190979 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.944344997 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:03.949676991 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.949721098 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.949743032 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:03.949755907 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:04.387063980 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:04.435858011 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:05.426808119 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:05.467067957 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:06.402539968 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:06.451430082 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:07.417779922 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:07.467062950 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:08.419399977 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:08.467050076 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:09.427175045 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:09.482680082 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:10.434030056 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:10.482705116 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:11.430047035 CET	465	49874	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:11.430143118 CET	49874	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:11.430237055 CET	49874	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:11.435683966 CET	465	49874	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:11.449872017 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:11.475837946 CET	5555	49876	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:11.477155924 CET	49876	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:11.477209091 CET	49876	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:43:11.483652115 CET	5555	49876	65.21.245.7	192.168.2.4
Oct 28, 2024 13:43:11.498408079 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:12.466692924 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:12.513927937 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:13.787404060 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:13.842056990 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:14.489007950 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:14.529556990 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:16.129427910 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:16.170284986 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:16.513534069 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:16.560888052 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:17.511451960 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:17.560812950 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:18.515419960 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:18.560837984 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:19.529264927 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:19.576443911 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:20.537806034 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:20.592092037 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:20.822309971 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:20.822487116 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:21.852066040 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:21.900517941 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:22.563579082 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:22.607697964 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:23.579389095 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:23.623368025 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:24.593749046 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:24.642623901 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:25.605489969 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:25.658346891 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:26.622419119 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:26.674024105 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:27.633970022 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:27.673999071 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:28.955413103 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:29.002151012 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:29.652100086 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:29.705271959 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:30.663033962 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:30.705147028 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:31.725622892 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:31.767752886 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:32.738567114 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:32.783412933 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:33.811862946 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:33.861413002 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:35.108922005 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:35.158387899 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:35.832853079 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:35.877005100 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:36.830401897 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:36.877090931 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:37.844845057 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:37.892746925 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:38.856595039 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:38.908298016 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:39.871014118 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:39.923912048 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:40.879487038 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:40.924056053 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:41.891376972 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:41.939584970 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:42.902249098 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:42.955162048 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:43.902328968 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:43.955153942 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:44.902637005 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:44.955142021 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:46.230385065 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:46.283277988 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:46.918623924 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:46.970814943 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:47.933109999 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:47.986438990 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:48.950627089 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:49.002079010 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:49.949815035 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:50.002038002 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:50.956368923 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:51.002054930 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:51.965483904 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:52.017764091 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:52.980241060 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:53.033430099 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:53.987030983 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:54.033458948 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:54.996140003 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:55.049024105 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:56.008806944 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:56.048918009 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:57.023207903 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:57.080182076 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:58.027380943 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:58.080192089 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:43:59.041826010 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:43:59.095933914 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:00.043157101 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:00.095808983 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:01.057730913 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:01.111454010 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.060014963 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:02.111679077 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.913391113 CET	56296	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.919008970 CET	5651	56296	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:02.919121027 CET	56296	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.929214954 CET	56297	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.934839964 CET	80	56297	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:02.934921980 CET	56297	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.942845106 CET	56298	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.948364973 CET	465	56298	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:02.948435068 CET	56298	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:02.957793951 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:02.964422941 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:02.964618921 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:02.973524094 CET	56300	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:02.979072094 CET	5555	56300	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:02.979233980 CET	56300	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.049498081 CET	56296	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.049498081 CET	56296	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.054987907 CET	5651	56296	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.055021048 CET	5651	56296	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.064752102 CET	56297	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.064812899 CET	56297	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.070360899 CET	80	56297	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.070389032 CET	80	56297	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.082377911 CET	56298	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.082412004 CET	56298	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.083745003 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.089584112 CET	465	56298	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.089613914 CET	465	56298	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.099005938 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.099030018 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.106156111 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.106199980 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.116055965 CET	56300	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.116055965 CET	56300	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.121609926 CET	5555	56300	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.121638060 CET	5555	56300	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.127062082 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.629430056 CET	5651	56296	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.629498959 CET	56296	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.629581928 CET	56296	5651	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.635097980 CET	5651	56296	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.657219887 CET	80	56297	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.657277107 CET	56297	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.657358885 CET	56297	80	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:03.662888050 CET	80	56297	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:03.831451893 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.833703995 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.833704948 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.833753109 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.833753109 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.833775997 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:03.839287996 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.839342117 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.839356899 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.839370012 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.839752913 CET	80	56299	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:03.840037107 CET	56299	80	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:04.090467930 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:04.142699957 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:05.136392117 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:05.189577103 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:06.137284040 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:06.190021992 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:07.151722908 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:07.205188036 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:08.209809065 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:08.252077103 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:09.249839067 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:09.299041986 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:10.261694908 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:10.314657927 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:11.278834105 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:11.330384970 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:11.441320896 CET	465	56298	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:11.441423893 CET	56298	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:11.441642046 CET	56298	465	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:11.447130919 CET	465	56298	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:11.470680952 CET	5555	56300	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:11.470752954 CET	56300	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:11.471240997 CET	56300	5555	192.168.2.4	65.21.245.7
Oct 28, 2024 13:44:11.477570057 CET	5555	56300	65.21.245.7	192.168.2.4
Oct 28, 2024 13:44:12.277056932 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:12.330329895 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:13.294754982 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:13.345973015 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:14.621598959 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:14.673988104 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:15.328911066 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:15.377253056 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:16.339093924 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:16.392909050 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:17.339431047 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:17.392925024 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:18.374725103 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:18.423978090 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:19.378865004 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:19.423980951 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:20.386046886 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:20.439616919 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:21.401859045 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:21.580233097 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:22.402846098 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:22.580236912 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:23.420329094 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:23.580252886 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:24.615616083 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:24.674123049 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:25.456891060 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:25.580359936 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:26.465065956 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:26.580239058 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:27.472227097 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:27.568680048 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:28.480071068 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:28.580365896 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:29.495827913 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:29.580416918 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:30.521939993 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:30.580363989 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:31.526882887 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:31.580337048 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:32.619806051 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:32.673993111 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:33.542720079 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:33.595895052 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:34.565937996 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:34.611515045 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:35.573834896 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:35.627125025 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:36.589847088 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:36.642777920 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:37.602545977 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:37.658394098 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:38.607212067 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:38.658385992 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:39.620681047 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:39.674020052 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:40.624696016 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:40.674007893 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:41.641798973 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:41.689667940 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:42.653274059 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:42.705281973 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:43.658868074 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:43.705291986 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:44.684421062 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:44.736525059 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:45.756088972 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:45.799156904 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:46.727781057 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:46.783525944 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:47.845698118 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:47.890636921 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:48.896909952 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:48.939785004 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:49.909080029 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:49.955374002 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:50.917670012 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:50.970913887 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:51.933783054 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:51.986618042 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:52.948299885 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:53.002157927 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:53.948717117 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:53.991772890 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:54.963901043 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:55.017786026 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:56.130871058 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:56.174134016 CET	49872	8080	192.168.2.4	111.90.140.76
Oct 28, 2024 13:44:57.042428970 CET	8080	49872	111.90.140.76	192.168.2.4
Oct 28, 2024 13:44:57.095906019 CET	49872	8080	192.168.2.4	111.90.140.76

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 13:42:02.992033958 CET	52645	53	192.168.2.4	1.1.1.1
Oct 28, 2024 13:43:21.570112944 CET	53	54898	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 13:42:02.992033958 CET	192.168.2.4	1.1.1.1	0x12a2	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 13:42:03.000487089 CET	1.1.1.1	192.168.2.4	0x12a2	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49873	111.90.140.76	80	7076	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:43:03.061367989 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:43:03.061419964 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49875	65.21.245.7	80	7076	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:43:03.092282057 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:43:03.092322111 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:
Oct 28, 2024 13:43:03.858572006 CET	505	IN	HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 28 Oct 2024 12:43:02 GMT Connection: close Content-Length: 326 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42 61 64 20 52 65 71 75 65 73 74 20 2d 20 49 6e 76 61 6c 69 64 20 56 65 72 62 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 72 65 71 75 65 73 74 20 76 65 72 62 20 69 73 20 69 6e 76 61 6c 69 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Bad Request</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Bad Request - Invalid Verb</h2><hr><p>HTTP Error 400. The request verb is invalid.</p></BODY></HTML>
Oct 28, 2024 13:43:03.858771086 CET	6	OUT	Data Raw: 00 00 10 18 Data Ascii:
Oct 28, 2024 13:43:03.858829021 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:43:03.858829021 CET	6	OUT	Data Raw: 2d 2d 0d 0a Data Ascii: --
Oct 28, 2024 13:43:03.858829021 CET	6	OUT	Data Raw: 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	56297	111.90.140.76	80	7076	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:44:03.064752102 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:44:03.064812899 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	56299	65.21.245.7	80	7076	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 13:44:03.099005938 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:44:03.099030018 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:
Oct 28, 2024 13:44:03.831451893 CET	505	IN	HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 28 Oct 2024 12:44:02 GMT Connection: close Content-Length: 326 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42 61 64 20 52 65 71 75 65 73 74 20 2d 20 49 6e 76 61 6c 69 64 20 56 65 72 62 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 72 65 71 75 65 73 74 20 76 65 72 62 20 69 73 20 69 6e 76 61 6c 69 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Bad Request</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Bad Request - Invalid Verb</h2><hr><p>HTTP Error 400. The request verb is invalid.</p></BODY></HTML>
Oct 28, 2024 13:44:03.833703995 CET	6	OUT	Data Raw: 00 00 10 18 Data Ascii:
Oct 28, 2024 13:44:03.833704948 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Oct 28, 2024 13:44:03.833753109 CET	6	OUT	Data Raw: 2d 2d 0d 0a Data Ascii: --
Oct 28, 2024 13:44:03.833753109 CET	6	OUT	Data Raw: 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	08:41:46
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\0438.pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0438.pdf.exe"
Imagebase:	0x7ff665ec0000
File size:	11'654'747 bytes
MD5 hash:	2D11DBA46735AF1CB1C0A42E9564E20D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:41:48
Start date:	28/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
Imagebase:	0x7ff77fd90000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:41:48
Start date:	28/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:41:48
Start date:	28/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff77fd90000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:41:49
Start date:	28/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:41:50
Start date:	28/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:41:50
Start date:	28/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1576,i,6061207058783302797,5194887840937353,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:41:56
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000000.1833595645.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:41:57
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.1843565844.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:41:59
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:41:59
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:42:00
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:42:01
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:42:01
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
Imagebase:	0x400000
File size:	7'753'808 bytes
MD5 hash:	F3D74B072B9697CF64B0B8445FDC8128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	08:42:03
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	08:42:03
Start date:	28/10/2024
Path:	C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
Imagebase:	0x400000
File size:	6'307'408 bytes
MD5 hash:	63D0964168B927D00064AA684E79A300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	28

Executed Functions

Function 00007FF665EEB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EC255C: GetDlgItem.USER32 ref: 00007FF665EC25AC
Part of subcall function 00007FF665EC255C: SetWindowTextW.USER32 ref: 00007FF665EC25C8

EndDialog.USER32 ref: 00007FF665EEB2D0
SetDlgItemTextW.USER32 ref: 00007FF665EEB320
GetMessageW.USER32 ref: 00007FF665EEB350
IsDialogMessageW.USER32 ref: 00007FF665EEB369
TranslateMessage.USER32 ref: 00007FF665EEB37B
DispatchMessageW.USER32 ref: 00007FF665EEB389
EndDialog.USER32 ref: 00007FF665EEB3D3
GetDlgItem.USER32 ref: 00007FF665EEB410
SendMessageW.USER32 ref: 00007FF665EEB431
SendMessageW.USER32 ref: 00007FF665EEB449
SetFocus.USER32 ref: 00007FF665EEB452
GetLastError.KERNEL32 ref: 00007FF665EEB634
GetLastError.KERNEL32 ref: 00007FF665EEB665
GetTickCount.KERNEL32 ref: 00007FF665EEB68B
GetLastError.KERNEL32 ref: 00007FF665EEB6F5
GetCommandLineW.KERNEL32 ref: 00007FF665EEB841
CreateFileMappingW.KERNEL32 ref: 00007FF665EEB900
MapViewOfFile.KERNEL32 ref: 00007FF665EEB923
Sleep.KERNEL32 ref: 00007FF665EEB9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF665EEB9DF
CloseHandle.KERNEL32 ref: 00007FF665EEB9E8
SetDlgItemTextW.USER32 ref: 00007FF665EEBCDE
DialogBoxParamW.USER32 ref: 00007FF665EEC0D7
EndDialog.USER32 ref: 00007FF665EEC0EF
EnableWindow.USER32 ref: 00007FF665EEC2A6
SendMessageW.USER32 ref: 00007FF665EEC2F8
ShellExecuteExW.SHELL32 ref: 00007FF665EEB95B

Part of subcall function 00007FF665EDAAE0: LoadStringW.USER32 ref: 00007FF665EDAB67
Part of subcall function 00007FF665EDAAE0: LoadStringW.USER32 ref: 00007FF665EDAB80

SendMessageW.USER32 ref: 00007FF665EEBEC3
SendDlgItemMessageW.USER32 ref: 00007FF665EEBEEA
GetDlgItem.USER32 ref: 00007FF665EEBEF8
SendMessageW.USER32 ref: 00007FF665EEBF12
GetDlgItem.USER32 ref: 00007FF665EEBF4F
SetDlgItemTextW.USER32 ref: 00007FF665EEBFEC
SetDlgItemTextW.USER32 ref: 00007FF665EEC004
SetDlgItemTextW.USER32 ref: 00007FF665EEC321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEC363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEC369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEC36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEC375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEC37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEC381
SendDlgItemMessageW.USER32 ref: 00007FF665EEC449
EndDialog.USER32 ref: 00007FF665EEC463
GetDlgItem.USER32 ref: 00007FF665EEC491
SetFocus.USER32 ref: 00007FF665EEC49A
SendDlgItemMessageW.USER32 ref: 00007FF665EEC53E
FindFirstFileW.KERNEL32 ref: 00007FF665EEC562
FindClose.KERNEL32 ref: 00007FF665EEC68A
SendDlgItemMessageW.USER32 ref: 00007FF665EEC7AF

Part of subcall function 00007FF665EC129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EC1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EECAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EECAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EECAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EECABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EECAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EECAC7

Strings

p, xrefs: 00007FF665EEB7AB
runas, xrefs: 00007FF665EEB7C9
__tmp_rar_sfx_access_check_, xrefs: 00007FF665EEB6A9
LICENSEDLG, xrefs: 00007FF665EEC0C9
%s %s, xrefs: 00007FF665EEC6D9, 00007FF665EEC946
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF665EEB799
REPLACEFILEDLG, xrefs: 00007FF665EEC3D3
winrarsfxmappingfile.tmp, xrefs: 00007FF665EEB8E0
STARTDLG, xrefs: 00007FF665EEB1CA
@, xrefs: 00007FF665EEB7B6

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 255727823-2702805183
Opcode ID: cc7014f4e7a90cabf34f85099bb26417f38d3f1755592d98c7c91d1bfe449048
Instruction ID: 2d1c274d2e3d76c594673c786996915f12efbf9047dba5d79c90bd16ee207db7
Opcode Fuzzy Hash: cc7014f4e7a90cabf34f85099bb26417f38d3f1755592d98c7c91d1bfe449048
Instruction Fuzzy Hash: 3DD2A062E197C2C1EE209B65E9522BA6771EF85F80F904131EA5D8F6A9DF3CED44C700

Function 00007FF665EECE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF665EED5F3
SendMessageW.USER32 ref: 00007FF665EED626
SendMessageW.USER32 ref: 00007FF665EED655
MoveFileW.KERNEL32 ref: 00007FF665EEDB4B
MoveFileExW.KERNEL32 ref: 00007FF665EEDB69
GetTempPathW.KERNEL32 ref: 00007FF665EEDC49

Part of subcall function 00007FF665EC1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1FFB

EndDialog.USER32 ref: 00007FF665EEDFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EEEEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEEF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EEEF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EEEF73

Strings

lnk, xrefs: 00007FF665EEE3CA, 00007FF665EEE3D9
.lnk, xrefs: 00007FF665EEE406, 00007FF665EEE415
ProgramFilesDir, xrefs: 00007FF665EED4F0
MAX, xrefs: 00007FF665EEEA82, 00007FF665EEEA91
<br>, xrefs: 00007FF665EED6DA, 00007FF665EED6E9
HIDE, xrefs: 00007FF665EEE9E5, 00007FF665EEE9F4
.tmp, xrefs: 00007FF665EEDA85
MIN, xrefs: 00007FF665EEEAE5, 00007FF665EEEAF4
@set:user, xrefs: 00007FF665EEDD96, 00007FF665EEDDA5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF665EED501

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: 03d3e8211883851f7ef06e27a556162d5737696b71e17b8ecd20de3ca5a7139a
Instruction ID: da09e696a46afdad21c57ea771b5a3f3b696686c07b201172d44388b51f00506
Opcode Fuzzy Hash: 03d3e8211883851f7ef06e27a556162d5737696b71e17b8ecd20de3ca5a7139a
Instruction Fuzzy Hash: 7113C172B14B82C5EF10DF64DA422EC27B1EB84B98F401536EA5D9BAD9DF38D985C340

Function 00007FF665EF0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665EDDFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE018
Part of subcall function 00007FF665EDDFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE030
Part of subcall function 00007FF665EDDFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE05D

Part of subcall function 00007FF665ED62DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF665ED62F2
Part of subcall function 00007FF665ED62DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF665ED632C

Part of subcall function 00007FF665EE946C: OleInitialize.OLE32 ref: 00007FF665EE9486
Part of subcall function 00007FF665EE946C: SHGetMalloc.SHELL32 ref: 00007FF665EE94D4

GetCommandLineW.KERNEL32 ref: 00007FF665EF096E
OpenFileMappingW.KERNEL32 ref: 00007FF665EF0A07
MapViewOfFile.KERNEL32 ref: 00007FF665EF0A30
UnmapViewOfFile.KERNEL32 ref: 00007FF665EF0A46
MapViewOfFile.KERNEL32 ref: 00007FF665EF0A63
UnmapViewOfFile.KERNEL32 ref: 00007FF665EF0ACA
CloseHandle.KERNEL32 ref: 00007FF665EF0AD3
SetEnvironmentVariableW.KERNELBASE ref: 00007FF665EF0BAD
GetLocalTime.KERNEL32 ref: 00007FF665EF0BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665EF0C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF665EF0C26
GetModuleHandleW.KERNEL32 ref: 00007FF665EF0C2E
LoadIconW.USER32 ref: 00007FF665EF0C4D
DialogBoxParamW.USER32 ref: 00007FF665EF0CB6
Sleep.KERNEL32 ref: 00007FF665EF0CE6
DeleteObject.GDI32 ref: 00007FF665EF0D0D
DeleteObject.GDI32 ref: 00007FF665EF0D1F
CloseHandle.KERNEL32 ref: 00007FF665EF0D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF0DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF0DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF0DE3

Part of subcall function 00007FF665EEFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF665EEFD43
Part of subcall function 00007FF665EEFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF665EEFDBC

Strings

sfxname, xrefs: 00007FF665EF0B9B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF665EF0C02
winrarsfxmappingfile.tmp, xrefs: 00007FF665EF09F9
sfxstime, xrefs: 00007FF665EF0C1F
STARTDLG, xrefs: 00007FF665EF0CA5

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: 698fae3a653e1b7d4e45f88450a095eb1b46b52804e719b722bb591d7123fd6d
Instruction ID: 83ceb59b10e6bb5c2ee9dfb98ce3845e572cabd8aece4356c7a4f61103fcf893
Opcode Fuzzy Hash: 698fae3a653e1b7d4e45f88450a095eb1b46b52804e719b722bb591d7123fd6d
Instruction Fuzzy Hash: 7E126161A19B82C1EF109B64E9562B96371FFC4F94F404235EA9D8FAA5EF3CE940C740

Function 00007FF665EDA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665EDA504

Part of subcall function 00007FF665EE0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF665EE0F99

SetDlgItemTextW.USER32 ref: 00007FF665EDA573
GetWindowRect.USER32 ref: 00007FF665EDA5AD
GetClientRect.USER32 ref: 00007FF665EDA5BB
GetWindowLongPtrW.USER32 ref: 00007FF665EDA66C
GetWindowRect.USER32 ref: 00007FF665EDA6B2
SetWindowTextW.USER32 ref: 00007FF665EDA6EC
GetSystemMetrics.USER32 ref: 00007FF665EDA6F7
GetWindow.USER32 ref: 00007FF665EDA708
GetWindowRect.USER32 ref: 00007FF665EDA746
GetWindow.USER32 ref: 00007FF665EDA808

Strings

CAPTION, xrefs: 00007FF665EDA6CF
$%s:, xrefs: 00007FF665EDA4EF

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: ab54c0535bd4d6d5f5d99262ba6d7b6a1bd5d301449bfdf47585b3e931cabfc0
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: D591D472B18642C6EB148F39E90166967B1FBC4B84F545535EE4A8BB98CE3CED05CF00

Function 00007FF665EE8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF665EE863D
SizeofResource.KERNEL32 ref: 00007FF665EE8659
LoadResource.KERNEL32 ref: 00007FF665EE8673
LockResource.KERNEL32 ref: 00007FF665EE8685
GlobalAlloc.KERNELBASE ref: 00007FF665EE86A6
GlobalLock.KERNEL32 ref: 00007FF665EE86BB
CreateStreamOnHGlobal.COMBASE ref: 00007FF665EE86E8
GdipAlloc.GDIPLUS ref: 00007FF665EE86FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF665EE8769
GlobalUnlock.KERNEL32 ref: 00007FF665EE878C
GlobalFree.KERNEL32 ref: 00007FF665EE8795

Strings

PNG, xrefs: 00007FF665EE862F

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: c494fd5cb88999ca125c91b518a7205fb560980c1d726ee3ddd08dbf0b2f67cb
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 51410C26A19B46C2EF149B56E95537963B0AF88F90F084435EE0DCB3A4EF7CEC498740

Function 00007FF665ECF930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1263

Strings

__tmp_reference_source_, xrefs: 00007FF665ECFCCF, 00007FF665ECFCDE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 384689ac8530feea5e34db68b871157dbebb8f7d0f69150fafb81c6ad97b012c
Instruction ID: 3e2c9fd524702f5816ea0b2052148d92c4e515181d6ce66929478578cb1d2db8
Opcode Fuzzy Hash: 384689ac8530feea5e34db68b871157dbebb8f7d0f69150fafb81c6ad97b012c
Instruction Fuzzy Hash: 0FE28862A086C1D2EE64CB65D6423BE6771FBC1B40F445232EBAD8B6A5DF3CE855C700

Function 00007FF665EC4840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC5124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC5E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC5E1C

Strings

CMT, xrefs: 00007FF665EC59B2

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 0f836c28f51a9b584851c458bba0ff9f464b0987ccb560ad783dda4dde2c761e
Instruction ID: 0a098f746b794f72144b195897e61cf44d3ea9fc8db9d82b055b5fe153c0deeb
Opcode Fuzzy Hash: 0f836c28f51a9b584851c458bba0ff9f464b0987ccb560ad783dda4dde2c761e
Instruction Fuzzy Hash: 97E2E762B08682C6EF14DB65D6522FD6BB1FB45B84F440136EA6E8B796DF3CE854C300

Function 00007FF665ED40BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF665ED410B
FindFirstFileW.KERNELBASE ref: 00007FF665ED415E
GetLastError.KERNEL32 ref: 00007FF665ED41AF
FindNextFileW.KERNEL32 ref: 00007FF665ED41D7
GetLastError.KERNEL32 ref: 00007FF665ED41E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED4315

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction ID: 6e7e51e1b97c273ba59b466b97389cc7b1cf07742bb81394b0fa4d72de1c5132
Opcode Fuzzy Hash: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction Fuzzy Hash: D2617062A08B46C1EE109B28E94226D6371FBD5BA4F505332FABD8B6D9DF7CD944C700

Function 00007FF665EC5E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMT, xrefs: 00007FF665EC59B2, 00007FF665EC675B

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: 359dff1c80db5b7743fdae80869b9e224ec7716eef54e7df647838bf343512b4
Instruction ID: 014b15907ccebc7461cc8c4d6bda0fec40840a023d5128c47fa44d38be863ef9
Opcode Fuzzy Hash: 359dff1c80db5b7743fdae80869b9e224ec7716eef54e7df647838bf343512b4
Instruction Fuzzy Hash: 1842C522B08681D7EF18DB79D2522FE6BB1EB51B44F400135EB6E9B696DF38E954C300

Function 00007FF665EE1F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9760fb6421b16e0e583802a284a649d5527ae7ea6cefd943f702fc6b6a5a6041
Instruction ID: c05240aa392d8364c6ef089e661d0b11dc75fe81921c4b19fa552942a59add75
Opcode Fuzzy Hash: 9760fb6421b16e0e583802a284a649d5527ae7ea6cefd943f702fc6b6a5a6041
Instruction Fuzzy Hash: 75E1E562A182C2CAEF64CF28E64627D77A1FB44B48F054136EB8E9B745DF3CE9418704

Function 00007FF665EE3484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca6f1c51f28919b1ed0d44622ea5b19d03515415c361c6bf899ecd233d7ad4e
Instruction ID: b964fb9171cd2ac37397a69babb1ae948497be1ffc7d6c7bfb2b5f92cf112af5
Opcode Fuzzy Hash: bca6f1c51f28919b1ed0d44622ea5b19d03515415c361c6bf899ecd233d7ad4e
Instruction Fuzzy Hash: D7B1F0A2B14BC992DE18CB66D609AE963A1B709FC4F488032EE4D8B751DF3CF955C300

Function 00007FF665ED4928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 388497648aa7178462f46e8a8cb48851b3eb3f46bbabbbefb59410a44eea80d8
Instruction ID: 6afaf32ad629e7bff3009f78c8e473c74506b1dc1192cc465ba05af91f09422b
Opcode Fuzzy Hash: 388497648aa7178462f46e8a8cb48851b3eb3f46bbabbbefb59410a44eea80d8
Instruction Fuzzy Hash: 66410922B15A96C6FF64DF11EA027692262FBD4B84F045231EE8D8B794DE7CE8428704

Function 00007FF665EDDFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE05D
CreateFileW.KERNEL32 ref: 00007FF665EDE3F0
SetFilePointer.KERNEL32 ref: 00007FF665EDE40E
ReadFile.KERNEL32 ref: 00007FF665EDE436

Part of subcall function 00007FF665EDDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF665EDDDDF

CompareStringW.KERNELBASE ref: 00007FF665EDE559
CloseHandle.KERNEL32 ref: 00007FF665EDE4F3

Part of subcall function 00007FF665EC1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1FFB

Part of subcall function 00007FF665ED51A4: GetVersionExW.KERNEL32 ref: 00007FF665ED51D5

Part of subcall function 00007FF665EDDFD0: LoadLibraryExW.KERNELBASE ref: 00007FF665EDDEFF
Part of subcall function 00007FF665EDDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EDDFB5
Part of subcall function 00007FF665EDDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EDDFBB
Part of subcall function 00007FF665EDDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EDDFC1
Part of subcall function 00007FF665EDDFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EDDFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF665EDE7AA
ExitProcess.KERNEL32 ref: 00007FF665EDE7BB

Strings

XmlLite.dll, xrefs: 00007FF665EDE339
cryptsp.dll, xrefs: 00007FF665EDE355
dnsapi.DLL, xrefs: 00007FF665EDE259
ntshrui.dll, xrefs: 00007FF665EDE12B
WINNSI.DLL, xrefs: 00007FF665EDE275
psapi.dll, xrefs: 00007FF665EDE115
aclui.dll, xrefs: 00007FF665EDE371
mpr.dll, xrefs: 00007FF665EDE291
linkinfo.dll, xrefs: 00007FF665EDE347
apphelp.dll, xrefs: 00007FF665EDE14F
dhcpcsvc6.dll, xrefs: 00007FF665EDE31D
profapi.dll, xrefs: 00007FF665EDE205
shell32.dll, xrefs: 00007FF665EDE1BF
dsrole.dll, xrefs: 00007FF665EDE37F
sfc_os.dll, xrefs: 00007FF665EDE091
wkscli.dll, xrefs: 00007FF665EDE2E5
kernel32, xrefs: 00007FF665EDE011
dwmapi.dll, xrefs: 00007FF665EDE0BD, 00007FF665EDE661
peerdist.dll, xrefs: 00007FF665EDE38D
shdocvw.dll, xrefs: 00007FF665EDE179
WindowsCodecs.dll, xrefs: 00007FF665EDE213
dhcpcsvc.dll, xrefs: 00007FF665EDE32B
setupapi.dll, xrefs: 00007FF665EDE141
wintrust.dll, xrefs: 00007FF665EDE1B1
samcli.dll, xrefs: 00007FF665EDE2C9
rsaenh.dll, xrefs: 00007FF665EDE0A7
dfscli.dll, xrefs: 00007FF665EDE2F3
srvcli.dll, xrefs: 00007FF665EDE221
clbcatq.dll, xrefs: 00007FF665EDE0E9
SetDllDirectoryW, xrefs: 00007FF665EDE026
atl.dll, xrefs: 00007FF665EDE136
cryptbase.dll, xrefs: 00007FF665EDE0C8
mlang.dll, xrefs: 00007FF665EDE2BB
userenv.dll, xrefs: 00007FF665EDE15D
RpcRtRemote.dll, xrefs: 00007FF665EDE363
usp10.dll, xrefs: 00007FF665EDE0DE
ws2_32.dll, xrefs: 00007FF665EDE0FF
oleaccrc.dll, xrefs: 00007FF665EDE1E9
cscapi.dll, xrefs: 00007FF665EDE22F
lpk.dll, xrefs: 00007FF665EDE0D3
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF665EDE73B
netutils.dll, xrefs: 00007FF665EDE283
SSPICLI.DLL, xrefs: 00007FF665EDE09C
browcli.dll, xrefs: 00007FF665EDE301
ws2help.dll, xrefs: 00007FF665EDE10A
rasadhlp.dll, xrefs: 00007FF665EDE30F
msasn1.dll, xrefs: 00007FF665EDE195
UXTheme.dll, xrefs: 00007FF665EDE0B2
imageres.dll, xrefs: 00007FF665EDE24B
SetDefaultDllDirectories, xrefs: 00007FF665EDE053
cabinet.dll, xrefs: 00007FF665EDE1DB
version.dll, xrefs: 00007FF665EDE07B
cryptui.dll, xrefs: 00007FF665EDE1A3
crypt32.dll, xrefs: 00007FF665EDE187
iphlpapi.DLL, xrefs: 00007FF665EDE267
netapi32.dll, xrefs: 00007FF665EDE16B
secur32.dll, xrefs: 00007FF665EDE1CD
ntmarta.dll, xrefs: 00007FF665EDE1F7
slc.dll, xrefs: 00007FF665EDE23D
ieframe.dll, xrefs: 00007FF665EDE120
samlib.dll, xrefs: 00007FF665EDE2D7
propsys.dll, xrefs: 00007FF665EDE2AD
DXGIDebug.dll, xrefs: 00007FF665EDE086, 00007FF665EDE5B6
comres.dll, xrefs: 00007FF665EDE0F4
devrtl.dll, xrefs: 00007FF665EDE29F
uxtheme.dll, xrefs: 00007FF665EDE66D

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
Instruction ID: d643610f45e1a13d526e563b0f95a867640bb18a46c337f84db4d7e5a77f2d78
Opcode Fuzzy Hash: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
Instruction Fuzzy Hash: 56323935A09B82D5EB118F60E9521E973B4FF84B54F840236EA4D8B7A5EF3CDA54C780

Function 00007FF665ED98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ED8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665ED8F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665ED9F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EDA42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EDA435

Part of subcall function 00007FF665EE0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF665EE0B44), ref: 00007FF665EE0BE9

Strings

@%s:, xrefs: 00007FF665ED9F57
*messages***, xrefs: 00007FF665ED9C04
*messages***, xrefs: 00007FF665ED9BC6
DIRECTION, xrefs: 00007FF665ED9DE5
,, xrefs: 00007FF665ED9FAA
RTL, xrefs: 00007FF665ED9F2E
, xrefs: 00007FF665ED9DF9
MENU, xrefs: 00007FF665ED9DD9
$%s:, xrefs: 00007FF665ED9F50
DIALOG, xrefs: 00007FF665ED9DCD
STRINGS, xrefs: 00007FF665ED9DC1

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: a0ca64e2e6ce2865254327ea7649ce479d77a76cd71c28d6026bad56dc47627e
Instruction ID: e161d2bb377ec062429a40932f66bf909f1d62f8963be79487d31803c4954fb2
Opcode Fuzzy Hash: a0ca64e2e6ce2865254327ea7649ce479d77a76cd71c28d6026bad56dc47627e
Instruction Fuzzy Hash: 5C629E72A19682D5EF10DB25DA562BD2371FB80B84F805232EA4D8B6D5EF3CEE45C340

Function 00007FF665EF1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665EF1558: DloadProtectSection.DELAYIMP ref: 00007FF665EF15C9

RaiseException.KERNEL32 ref: 00007FF665EF19A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF665EF1993

Part of subcall function 00007FF665EF1868: DloadProtectSection.DELAYIMP ref: 00007FF665EF18C7

LoadLibraryExA.KERNELBASE ref: 00007FF665EF1A46
GetLastError.KERNEL32 ref: 00007FF665EF1A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF665EF1A86
RaiseException.KERNEL32 ref: 00007FF665EF1A9A

Strings

H, xrefs: 00007FF665EF1974

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: b9576d9036fc5e5e7fdf47b07318e4359786dd54638eed26fc3d00cfd1b3785a
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: A2914A62E05B56CAEF14CFA5E9512AC33B1BB48B98F484436EE0D5B754EF38E845C740

Function 00007FF665EEF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF665EEF747
ShowWindow.USER32 ref: 00007FF665EEF786
GetExitCodeProcess.KERNEL32 ref: 00007FF665EEF7BD
CloseHandle.KERNEL32 ref: 00007FF665EEF7E7
ShowWindow.USER32 ref: 00007FF665EEF83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEF8FB

Strings

.exe, xrefs: 00007FF665EEF7F2
.inf, xrefs: 00007FF665EEF675
p, xrefs: 00007FF665EEF529
Install, xrefs: 00007FF665EEF684

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: 67b61dfe47284e38b67ea0c0b1901cc6ac0d6bddf6aab1d537367ec119b3a945
Instruction ID: 7e3a9a0dd0a97a834e9361d014825a00f6b9f82b62585d1627282a35ac87072a
Opcode Fuzzy Hash: 67b61dfe47284e38b67ea0c0b1901cc6ac0d6bddf6aab1d537367ec119b3a945
Instruction Fuzzy Hash: 8DC1AD62F29A82C5FF00CB65EA5227923B1AF85F80F444035EA5D8B7A4DF3CEC958744

Function 00007FF665EEF0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF665EEAE1C: PeekMessageW.USER32 ref: 00007FF665EEAE32
Part of subcall function 00007FF665EEAE1C: GetMessageW.USER32 ref: 00007FF665EEAE49
Part of subcall function 00007FF665EEAE1C: IsDialogMessageW.USER32 ref: 00007FF665EEAE60
Part of subcall function 00007FF665EEAE1C: TranslateMessage.USER32 ref: 00007FF665EEAE6F
Part of subcall function 00007FF665EEAE1C: DispatchMessageW.USER32 ref: 00007FF665EEAE7A

GetDlgItem.USER32 ref: 00007FF665EEF0E3
ShowWindow.USER32 ref: 00007FF665EEF109
SendMessageW.USER32 ref: 00007FF665EEF11E
SendMessageW.USER32 ref: 00007FF665EEF136
SendMessageW.USER32 ref: 00007FF665EEF157
SendMessageW.USER32 ref: 00007FF665EEF173
SendMessageW.USER32 ref: 00007FF665EEF1B6
SendMessageW.USER32 ref: 00007FF665EEF1D4
SendMessageW.USER32 ref: 00007FF665EEF1E8
SendMessageW.USER32 ref: 00007FF665EEF212
SendMessageW.USER32 ref: 00007FF665EEF22A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: 33084928f6e9542271c99a79304ef5932099ed89c31b462447264b956a47fc9b
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: B241BF71B24682C6F7008FB1E812BAA2770EB89F98F541135DE0A8FB95CE3DDC458B44

Function 00007FF665ECEF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF572

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 95f682f023754f56a0dcca5eb1f48e82665a17e2aa84d7a71d7c4cda38083178
Instruction ID: b3b9abb3ca936d4862744c73748ec6e129f6f521abeff0eecca3f978e30bcaf2
Opcode Fuzzy Hash: 95f682f023754f56a0dcca5eb1f48e82665a17e2aa84d7a71d7c4cda38083178
Instruction Fuzzy Hash: EC12C162F08B42C5EF10DB64D5462AD2771EB85BA8F404232EA7D9BAD9DF3CD985C340

Function 00007FF665ED24C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF665ED259B
GetLastError.KERNEL32 ref: 00007FF665ED25AE
CreateFileW.KERNEL32 ref: 00007FF665ED260E
GetLastError.KERNEL32 ref: 00007FF665ED2617
SetFileTime.KERNEL32 ref: 00007FF665ED26C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED2736

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction ID: ea94dcb7346269a09af0eaf9361a32099d6c6414232bcbce2e58e5368353ff2a
Opcode Fuzzy Hash: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction Fuzzy Hash: F061F762A18741C5EB208B29EA0136E67B1FB94BA8F101335DFAD4BAD8DF3DD854C744

Function 00007FF665EEB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF665EEB02A
GetObjectW.GDI32 ref: 00007FF665EEB05B
DeleteObject.GDI32 ref: 00007FF665EEB095
DeleteObject.GDI32 ref: 00007FF665EEB0C5

Part of subcall function 00007FF665EE8624: FindResourceW.KERNEL32 ref: 00007FF665EE863D
Part of subcall function 00007FF665EE8624: SizeofResource.KERNEL32 ref: 00007FF665EE8659
Part of subcall function 00007FF665EE8624: LoadResource.KERNEL32 ref: 00007FF665EE8673
Part of subcall function 00007FF665EE8624: LockResource.KERNEL32 ref: 00007FF665EE8685
Part of subcall function 00007FF665EE8624: GlobalAlloc.KERNELBASE ref: 00007FF665EE86A6
Part of subcall function 00007FF665EE8624: GlobalLock.KERNEL32 ref: 00007FF665EE86BB
Part of subcall function 00007FF665EE8624: CreateStreamOnHGlobal.COMBASE ref: 00007FF665EE86E8
Part of subcall function 00007FF665EE8624: GdipAlloc.GDIPLUS ref: 00007FF665EE86FE
Part of subcall function 00007FF665EE8624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF665EE8769
Part of subcall function 00007FF665EE8624: GlobalUnlock.KERNEL32 ref: 00007FF665EE878C
Part of subcall function 00007FF665EE8624: GlobalFree.KERNEL32 ref: 00007FF665EE8795

Strings

], xrefs: 00007FF665EEB063

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: 685e0198733e581f2f1ee756436191d81a58a29d4ccc843c13981195a965af28
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: DD115C61A1D282C2EE259B61E75627953B1AF88FC4F080034EA5D8FB99DE3CEC058A00

Function 00007FF665EEAE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF665EEAE32
GetMessageW.USER32 ref: 00007FF665EEAE49
IsDialogMessageW.USER32 ref: 00007FF665EEAE60
TranslateMessage.USER32 ref: 00007FF665EEAE6F
DispatchMessageW.USER32 ref: 00007FF665EEAE7A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 0935c8930fbb4e685a2398e2fe757fd6dadab32624f83d2aa79035573f6004f1
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 4AF0EC76A38582C2FB509BA1E896A362371BFD0F05F945435EA4E8A864DF3CD908CB00

Function 00007FF665EE91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF665EE9211
SHAutoComplete.SHLWAPI ref: 00007FF665EE9255

Part of subcall function 00007FF665EE13C4: CompareStringW.KERNEL32 ref: 00007FF665EE13E3

FindWindowExW.USER32 ref: 00007FF665EE923F

Strings

EDIT, xrefs: 00007FF665EE921B, 00007FF665EE9233

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: ba804e2c44c57d729a31773c89f2ebe439b04267f5c86f221f57cccd2123d9d6
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 7E011261B18A87C1FE209B62F8127F663B0AF98F44F585031D94DCF655DE3CD9498A50

Function 00007FF665ED2CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF665ED8C9A), ref: 00007FF665ED2D22
WriteFile.KERNEL32 ref: 00007FF665ED2D6C
WriteFile.KERNELBASE ref: 00007FF665ED2D9A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction ID: 8afeebb74cbc1d7c4b412faff87b29ffa8cbb747c749f2c3694a97454df7c44f
Opcode Fuzzy Hash: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction Fuzzy Hash: 7C51D562A19642C2EF118B25DA5677A2370FF95F90F444232FA4E8BA94DF3CE885C740

Function 00007FF665EF03E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32 ref: 00007FF665EF0556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF05C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF05C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF05CD

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: 5598f9f6159c26352fed43e9fa1146c75ce6583aafc26ff498caee47ac5bdfe3
Instruction ID: 4f48f0fcaac8d248ae437de0d3a022cc3890ef559a465a6ae56fefd4dc4a863e
Opcode Fuzzy Hash: 5598f9f6159c26352fed43e9fa1146c75ce6583aafc26ff498caee47ac5bdfe3
Instruction Fuzzy Hash: DA518D62F14652C4FF109BA4E9462AD2332AF84FA4F804635EA5D9EBD5DFACD940C300

Function 00007FF665ED3684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF665ED309D), ref: 00007FF665ED36CE
CreateDirectoryW.KERNEL32 ref: 00007FF665ED3733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF665ED309D), ref: 00007FF665ED3791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED37CE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction ID: f9d6772f6b83a0e80ee27e498b418d78cdc7c6e7bf2e40c95a9b0b65283b0df2
Opcode Fuzzy Hash: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction Fuzzy Hash: 8A317E62A0CA82C1EE609B25E65627A6371BBCCFA0F544331FA9DCB695DF3CDC458600

Function 00007FF665EF2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF665EF2D7B

Part of subcall function 00007FF665EF27FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF665EF281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF665EF2D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF665EF2DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF665EF2E51

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: d7162d5b90e8fb70d7673f58532db404eefcb0254c6f1f7276d073c7d797945b
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 9C31F521A0D282C2EF55AB64FA232B922B1AF94B84F541435F90ECF2D7DE2DAC058641

Function 00007FF665ED2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF665ED2927,?,00100000,?,00000001,00000000,00000000,?,00007FF665ED14C1), ref: 00007FF665ED2348
ReadFile.KERNELBASE ref: 00007FF665ED2367
GetLastError.KERNEL32 ref: 00007FF665ED239B
GetLastError.KERNEL32 ref: 00007FF665ED23BA

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: 1a812ba263cacbfb72f508862a34fb81edff276b33d09ae966d278722347f5ae
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 2D214121A08643C1EE605B11ED0123A6370BBA5F94F144631EE9D8F688CE7DDC858B51

Function 00007FF665EDE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EDECD8: ResetEvent.KERNEL32 ref: 00007FF665EDECF1
Part of subcall function 00007FF665EDECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF665EDED07

ReleaseSemaphore.KERNEL32 ref: 00007FF665EDE974
CloseHandle.KERNELBASE ref: 00007FF665EDE993
DeleteCriticalSection.KERNEL32 ref: 00007FF665EDE9AA
CloseHandle.KERNEL32 ref: 00007FF665EDE9B7

Part of subcall function 00007FF665EDEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF665EDE95F,?,?,?,00007FF665ED463A,?,?,?), ref: 00007FF665EDEA63
Part of subcall function 00007FF665EDEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF665EDE95F,?,?,?,00007FF665ED463A,?,?,?), ref: 00007FF665EDEA6E

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 353e4512c95c1dc18a9426535adee12e94791e4a8d8a7b51a9bb92ad5e23f8e5
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: DB012D32A15E81D2E6489B21E65526DB330FBC8B80F044131EB5E4B625CF39E8B48B80

Function 00007FF665EDEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF665EDEAE0
SetThreadPriority.KERNEL32 ref: 00007FF665EDEB36

Strings

CreateThread failed, xrefs: 00007FF665EDEAEE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 9a2aad327069d369ade16c93b2da4bd8653cdeca7f00640bd6ba3d66ec36c5a6
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: 82116332908A82C1EB10DB10E953179B375FB84F84F544232EA8E8B669DF7CED45CB40

Function 00007FF665EE946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EDDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF665EDDDDF

OleInitialize.OLE32 ref: 00007FF665EE9486
SHGetMalloc.SHELL32 ref: 00007FF665EE94D4

Strings

riched20.dll, xrefs: 00007FF665EE9475

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: 52e85f35206160ee8704bac899660a67fe4a58bf90ef68c65be383bb355a6bd8
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: 1BF03CB1618A82C2EB009F60F8161AAB7B0FB88B54F540135EA8D8B654DF7CD959CF00

Function 00007FF665EE095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EE853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF665EE856C

Part of subcall function 00007FF665EDAAE0: LoadStringW.USER32 ref: 00007FF665EDAB67
Part of subcall function 00007FF665EDAAE0: LoadStringW.USER32 ref: 00007FF665EDAB80

Part of subcall function 00007FF665EC1FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1FFB

Part of subcall function 00007FF665EC129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EC1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF01BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EF01C1
SendDlgItemMessageW.USER32 ref: 00007FF665EF01F2

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: 8c360d5f5e245417109053446ee31c3b82c6562e62a189eed3094808beb71bb9
Instruction ID: 76202278ef32c53e700dfe74babdf42ec5f9e4cf0450499c5a8fb2e217da8f24
Opcode Fuzzy Hash: 8c360d5f5e245417109053446ee31c3b82c6562e62a189eed3094808beb71bb9
Instruction Fuzzy Hash: 5C519F62F15682C6FF109BA5E5562FD2372ABC5F84F400235EA1E9F79ADE2CD901C340

Function 00007FF665EC1744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC189C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EC18A8
__std_exception_copy.LIBVCRUNTIME ref: 00007FF665EC18D4

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2371198981-0
Opcode ID: 38f8f32a5aa73e3028a820fc3bd1ecc749b441f7b309afffc1eaa69fcbc17178
Instruction ID: e0ec025c69ad1c2d1a4436b5e6e6caf1f7fcaf80977345a14c1ffe9ba4eb9cae
Opcode Fuzzy Hash: 38f8f32a5aa73e3028a820fc3bd1ecc749b441f7b309afffc1eaa69fcbc17178
Instruction Fuzzy Hash: 9B41F062B08685C1EE08DB92E642279A361EB44FE0F448231EE7C8FBD5DF3CE4918304

Function 00007FF665ED2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF665ED21CF
CreateFileW.KERNEL32 ref: 00007FF665ED223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED22D8

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction ID: 9542270f1b1fef30377cd4f34ba0c1478ede0004906ccbf5e012b2a47cab10a3
Opcode Fuzzy Hash: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction Fuzzy Hash: 08419172A18781C2EF108B15E94626963B1FB94BB4F105735EBAD4BAD5CF3CE8918600

Function 00007FF665EC23F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF665EC243E
GetWindowTextW.USER32 ref: 00007FF665EC2476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC2505

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction ID: b946e7046a877409d2f8a04f70488c45bc954a6d606c60d57e865c9701ef84b1
Opcode Fuzzy Hash: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction Fuzzy Hash: 54219C62A28B8282EA148B65E94117AA371FB89FD0F145231FBDD47B95CF3CD4808B40

Function 00007FF665EE1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665EE205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665EE2077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665EE2093

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
Instruction ID: 2c3af052a130c64ded49ea701f3479e2c1901460f0d92e6edf7bd352bce29a89
Opcode Fuzzy Hash: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
Instruction Fuzzy Hash: EC317E22A18686D1FF259F14EA463B963B0FB50F84F544431E28D8A6E9DF7CED86C301

Function 00007FF665ED3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF665EE07E1), ref: 00007FF665ED3D5E
SetFileAttributesW.KERNEL32 ref: 00007FF665ED3DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED3E1A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction ID: fd6931434caaf5e328b24645514bd1d07c59a54df99780d771b816a646d6b11f
Opcode Fuzzy Hash: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction Fuzzy Hash: E321D662A08A81C1EE208B25E45626A6371FFC8F94F545330FA9D8B6D5DF3CD940CA40

Function 00007FF665ED31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF665EE0822), ref: 00007FF665ED31E7
DeleteFileW.KERNEL32 ref: 00007FF665ED3237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED32A1

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction ID: ffa9231b7ded610d2f861935d00bd72a37a74d187516dee11818e52cc06a3563
Opcode Fuzzy Hash: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction Fuzzy Hash: BB217462A18B81C1EE108B25F95626E6371FBC8F94F501331FA9D8BA99DF3CD940CA40

Function 00007FF665ED32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF665EDE5B1,?,?,?,00000000,?), ref: 00007FF665ED32E7
GetFileAttributesW.KERNELBASE ref: 00007FF665ED3334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED3399

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction ID: 8527560941e4af6810434b3dedbd1a3847daaf21099c6ddb2cb8923bcf06a66e
Opcode Fuzzy Hash: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction Fuzzy Hash: 32216262A18681C1EE109B29F94612A6371FBC8FA4F541331FAAD8BBD5DF3CD941CA44

Function 00007FF665EFBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF665EFBF48), ref: 00007FF665EFBF8C
TerminateProcess.KERNEL32(?,?,?,00007FF665EFBF48), ref: 00007FF665EFBF97
ExitProcess.KERNEL32 ref: 00007FF665EFBFA6

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: f5ea3966ce3d76e3cec8b6570516237667eb62d68155514d3e02fc38af307a9c
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 5EE01A25F04706C6EF546B21EDA637923766FC8F41F145438E90A8B396DE3DAC098B40

Function 00007FF665ECF578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECF89B

Part of subcall function 00007FF665ED3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF665EE0811), ref: 00007FF665ED3EFD

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: ca0581ef1bb473589dba99f130bc419ae7e505527f8951cee1cfdbbcd028e8d5
Instruction ID: 7681f5e018d314be0604d6e3a2657d60509d082378a67f212afd923545e47ec7
Opcode Fuzzy Hash: ca0581ef1bb473589dba99f130bc419ae7e505527f8951cee1cfdbbcd028e8d5
Instruction Fuzzy Hash: E7917073A18681D0EF10DB64D9452AD6771FB84B98F504135FA6C8BAE9DF7CD985C300

Function 00007FF665EC3904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC3AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC3AB9

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 64605ea4c96cd6a261f561e4281ee818068104f0c146ac1253270dcee5fc1f01
Instruction ID: 818e4e65e89b6ee3fcb9e9ddd47b660630d6ba2de0a9b76a61c4ac61b9c222b8
Opcode Fuzzy Hash: 64605ea4c96cd6a261f561e4281ee818068104f0c146ac1253270dcee5fc1f01
Instruction Fuzzy Hash: 78418262F14651C5FF00DBB5D5422AD2771AF88F98F145235EE2DAFB99DF38D8828200

Function 00007FF665ED2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF665ED274D), ref: 00007FF665ED28A9
GetLastError.KERNEL32(?,00007FF665ED274D), ref: 00007FF665ED28B8

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: 56104bfda3e891e2fef1cf0e1cb4224c4065d2c230f3a859aec8af5ca8a9e484
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: BD31A436B19A52C2EE604B2ADE426796370AFA4FD4F144231EE1D8F790DE3DDC418640

Function 00007FF665EC22BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF665EC22F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC23F0

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction ID: 53cecf99eecf37b6aac8a520dd5c24b1d131b48616a0c30e9a56ae1c95d28179
Opcode Fuzzy Hash: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction Fuzzy Hash: FC31C122A18782C2EE149B29F94636E7371EB94F90F445231FBAD4BB95DF3CE8408704

Function 00007FF665ED2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF665ED2AFE
SetFileTime.KERNELBASE ref: 00007FF665ED2B9B

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: b905cfb4633e9de0d4721ce6aba4bb41a86002535933fa2faa81ccfc40cd2e4b
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 7D21E523E0DB52D5EE628E11DA063B667B1AF91F94F144231EE4C4B291EE7CDC46C200

Function 00007FF665EDAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF665EDAB67
LoadStringW.USER32 ref: 00007FF665EDAB80

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: e4826f22d48bb890bc033aab070b6118143e271ebb71f22dba5a953ab479faec
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 581190B2B08681C5EA008F56E94612877B2BB88FC0F544535DE4DEB720DFBCEA418F44

Function 00007FF665ED2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF665ED2C11
GetLastError.KERNEL32 ref: 00007FF665ED2C1E

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: ecccface1b8ef51c215a74bbd3af61e71115bcda3a69c58a9c76d1961ab9e1ba
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: E3116022A08645C1EF608B25E9822696770EB94FA4F544332EA7D9B2D4CF3CED82C700

Function 00007FF665EC255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EDA4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665EDA504
Part of subcall function 00007FF665EDA4AC: SetDlgItemTextW.USER32 ref: 00007FF665EDA573
Part of subcall function 00007FF665EDA4AC: GetWindowRect.USER32 ref: 00007FF665EDA5AD
Part of subcall function 00007FF665EDA4AC: GetClientRect.USER32 ref: 00007FF665EDA5BB

GetDlgItem.USER32 ref: 00007FF665EC25AC
SetWindowTextW.USER32 ref: 00007FF665EC25C8

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: bf0884f6a99fe873befe64e7c46996e3e4df261e3e7ac386eb522daa176c9c03
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: 6B019260E0928AC2FE455791EA662BA17725F95F44F081034E8DE8F2D9DF3CEC848700

Function 00007FF665EDEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF665EDEBAD,?,?,?,?,00007FF665ED5752,?,?,?,00007FF665ED56DE), ref: 00007FF665EDEB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF665EDEB6F

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 084395a15ed65479d9e1b052ca8b4a0fa11ac660ecea5c3052261335e7155179
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: 1AE09B61F14D86C6DF598F55C4565E9B3B2BFC8F40B848136E60BC7614DE3CE9498B40

Function 00007FF665EF21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EF2200

Part of subcall function 00007FF665EF2F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665EF2F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EF2206

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction ID: 20fb90cc00d4292da4db3150471f8c95bcd4fc4e53f0308a5babc259ff74f6dc
Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction Fuzzy Hash: 9DE0B640E1A287C1FF286261AE271B801600FA9B70E585730FA7E8D2C2AF1CAC918114

Function 00007FF665EFD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF665EFD922
GetLastError.KERNEL32 ref: 00007FF665EFD934

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 28ae796a7d4b1453807b83ba310146ed02c12ab0c0df9b6be255d57114ffee15
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 5DE04668E09143C2FF09ABF2EA171B817B05FD4F50B088034E90ECF252EE3CAC818A01

Function 00007FF665EC33E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC388C

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8948bb9802c6c0987d886fae829bf96634841c4c74bd64b8e97cfea881f89bd5
Instruction ID: 83a73215de7f8c8579ba99422a4a3134b9e206af4a9c201a2c86c9ab929ca305
Opcode Fuzzy Hash: 8948bb9802c6c0987d886fae829bf96634841c4c74bd64b8e97cfea881f89bd5
Instruction Fuzzy Hash: D0D18562B08681D6EF68CB25D7512BD6FB1FB49F84F040035EA6D8B7A5CF38E8618701

Function 00007FF665ED5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED551B

Part of subcall function 00007FF665EE13F4: CompareStringW.KERNEL32 ref: 00007FF665EE145A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction ID: 6255f8e51d61ea7319495978f5ce59161664230d7da8b384b1d7677e955fac6b
Opcode Fuzzy Hash: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction Fuzzy Hash: 4B619F51A1C647C1EE649A25EA1727A52B1EFC5FD4F144232FE4ECEAC9EE6CEC418201

Function 00007FF665EE1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EDE948: ReleaseSemaphore.KERNEL32 ref: 00007FF665EDE974
Part of subcall function 00007FF665EDE948: CloseHandle.KERNELBASE ref: 00007FF665EDE993
Part of subcall function 00007FF665EDE948: DeleteCriticalSection.KERNEL32 ref: 00007FF665EDE9AA
Part of subcall function 00007FF665EDE948: CloseHandle.KERNEL32 ref: 00007FF665EDE9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE1ACB

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 706733c944098cb8a605eaf932642e2f84c02d8e7386b9a1576d55af7d044be2
Instruction ID: 62739e3f753cd913c76ac21d775ec3dcb1142fab57d684eab94914ca9e91e288
Opcode Fuzzy Hash: 706733c944098cb8a605eaf932642e2f84c02d8e7386b9a1576d55af7d044be2
Instruction Fuzzy Hash: 19614D62B266C5D2EE0CDBA5D6560BC7375FF80F94B544236E76D4FA85CF28E8A18300

Function 00007FF665ECEC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECEEB8

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 89b76225f611734f1827ebf27dd46062ec279a58f062f7148514824cdf62f394
Instruction ID: 604547cd6d2e6def4922d9117c8b0d7c5013afcc911c5a41602920c158faff52
Opcode Fuzzy Hash: 89b76225f611734f1827ebf27dd46062ec279a58f062f7148514824cdf62f394
Instruction Fuzzy Hash: 0151A562A08A82C4EE159B25D5473A96B71FB86FC4F440136FE6D8B396CF3DE885C340

Function 00007FF665ECE7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ED3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF665EE0811), ref: 00007FF665ED3EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECE993

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction ID: cbcbaadd7cc549f67a34be6dd1beebed323a1692c5c4fd2178ee4c632217e70d
Opcode Fuzzy Hash: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction Fuzzy Hash: 89514C62A08A86C1FE61CB24D68736D7775FB84F84F440276EA9D8F7A5DF2CE8418710

Function 00007FF665ED1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED187D

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: fa2a17a97775c6e4db7bd4990806455efc5e9f2c6fb18008f40fc3b9be66a623
Instruction ID: f2a09e20072e5e36f37b9d06b99b1ef6aced53a205bb77753b54099821181bfc
Opcode Fuzzy Hash: fa2a17a97775c6e4db7bd4990806455efc5e9f2c6fb18008f40fc3b9be66a623
Instruction Fuzzy Hash: 1041C462B18A8182EE18DA57EB41369A261ABC4FC0F448535FE4C8FF5ADF3CD8918300

Function 00007FF665ED2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED30C8

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: a8ea22521cea6cd4b61983f62ff8cdba4ac10663c0ba25c39cf8fdd3d1c97acc
Instruction ID: f4ece8dd9446ac7fd504062fa552dd83a0625aad012f8e84fbc36d7efbdcee7b
Opcode Fuzzy Hash: a8ea22521cea6cd4b61983f62ff8cdba4ac10663c0ba25c39cf8fdd3d1c97acc
Instruction Fuzzy Hash: 5041CE62A08A42C1EE149F29E64637963B1EBD8FD8F141235FA5D8B6D9DF3DE8408640

Function 00007FF665EFBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF665EFBE20

Part of subcall function 00007FF665EFBFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF665EFBFD0
Part of subcall function 00007FF665EFBFB0: GetProcAddress.KERNEL32 ref: 00007FF665EFBFE6
Part of subcall function 00007FF665EFBFB0: FreeLibrary.KERNEL32 ref: 00007FF665EFC00B

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: 8dae62f7c51ee0134cab5da35b587aedfa5cbbde37b4005826f285f773b9229f
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 6441BF22E28A56C2FF249B50EA521782379AF94F40F544436EA0DCF6A5DF3DEC44CB40

Function 00007FF665EC129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EC1396

Part of subcall function 00007FF665EC1F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665EC1F89

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 41fe73495443f79e47f3f56e4fb3fe22cc61c7737b70dfa3b267077ac309d4e7
Instruction ID: ffb3736f587eb1455ba4df93f3c678d902c2e541a564ce8137e934c6136ab3bb
Opcode Fuzzy Hash: 41fe73495443f79e47f3f56e4fb3fe22cc61c7737b70dfa3b267077ac309d4e7
Instruction Fuzzy Hash: D121A322A08351C5EE189E95E6022796A60EB45FF4F690730EE7E8FBC1DF7CE8518344

Function 00007FF665F0124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665F01280

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: 590bc459005b2a397ed1d35419e5e3055065059cf20315fba2cc7f3e54a59e2a
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 2B117C3290C682C2E7109B90E95293973B5FB80B88F580136E68DCF691DF3CEC408F84

Function 00007FF665EC3AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC3B6C

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction ID: 670e733f4ebf0223f4db83a18a8f054fab1fa47a326a90c280b968367d77fe1f
Opcode Fuzzy Hash: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction Fuzzy Hash: 46016562A18A85C1EE159728E54626D7372FBC9F94F505331F6AC4B6A5DF2CD8408704

Function 00007FF665EF1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF665EF1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF665EF1573,?,?,?,00007FF665EF192A), ref: 00007FF665EF162B

DloadProtectSection.DELAYIMP ref: 00007FF665EF15C9

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction ID: 81018cfb7b75302f8ce10db5f749adb57ae2ac7a357c46c83c684c5385b60fcc
Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction Fuzzy Hash: 04117CE1D0868AC2FF549F95E9633742370AF94B58F540439D94DCF2A1EE3CAD958A40

Function 00007FF665ED3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ED40BC: FindFirstFileW.KERNELBASE ref: 00007FF665ED410B
Part of subcall function 00007FF665ED40BC: FindFirstFileW.KERNELBASE ref: 00007FF665ED415E
Part of subcall function 00007FF665ED40BC: GetLastError.KERNEL32 ref: 00007FF665ED41AF

FindClose.KERNELBASE(?,?,00000000,00007FF665EE0811), ref: 00007FF665ED3EFD

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 1676e900acc917536509c40d3fa50b75ea97fa1b4eb74db6bcce1c8ff40fc465
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: E7F04462508281C5DE609F75E3062B977709B99FB4F145335FA7D4B2C7CE28D844C745

Function 00007FF665EC1FA0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1FFB

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 0fb954f495e7f9b02f6a3e94d6a46f68925db21b8932cab22a75c4798dbb9f44
Instruction ID: 8ddf8cf18e8014fed06c2980874ce8b8c18c463faf1988f9ccef03895c71f4e5
Opcode Fuzzy Hash: 0fb954f495e7f9b02f6a3e94d6a46f68925db21b8932cab22a75c4798dbb9f44
Instruction Fuzzy Hash: DCF09AA1B106C980EF189BA9D58A36C2362EF84F88F500421E75C8EA55DF6CD8808300

Function 00007FF665ED273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF665ED2755

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
Instruction ID: f1121bc4993304a760ad23c9bc451e5f67f8c0ab489cd006d7eaf00ee3b09161
Opcode Fuzzy Hash: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
Instruction Fuzzy Hash: 0CE08C12A20915C2EF60AB2ACC636791330AF88F85B481031DE0C8B321CE28C8818A40

Function 00007FF665ED2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF665ED24A2

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: aa48a4291a8bef7dc09206893172591209f2ff41e4acae46bd1969f6e05c8f62
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 0CD01212D09451C2DD109735DD5303D2360AFE2B39FA40731EA3EC66E1CE2D9896A751

Function 00007FF665ED7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF665ED7FD2

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 54bce7ca91a01e281825313830677e1f4d897b01557887ccfef764dd81aad396
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 88C08C20F09502C1DE085B26C8CA11913B4BB80F04B648035D10CC6120CE3CC8EA9785

Function 00007FF665EFFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF665EFFA59

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: 0e4594c8acb9fe56e2825550755ebe9da1551fb78d1c15d5df1683dc0fad4d08
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: BFF04955F09A07C5FF545B61EB132B412B05FC4F80F486430E91ECE381EE2CEE818620

Function 00007FF665ED20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF665ED207E), ref: 00007FF665ED20F6

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 438cc10875521fc273e688cfd4ce9cbb2aa7f6d4f6697d3016e6d7d4bcf03187
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 56F08C22A08682C5FF248B20EA422792771EB64F79F488335EB3D8A1D4CF28DC958700

Function 00007FF665EFD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF665EFD98A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: 14172d7e8ada26b78ebf106a49b88d0888906abe78ccec1a27823328ceb7ccf6
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: 4BF0DA59B09246C6FF5456A1EB522B52AB05FC8FA0F485A30E96ECE2C1EE6CAC808511

Non-executed Functions

Function 00007FF665ECC2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ECDE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF665ECCF4B), ref: 00007FF665ECDE27
Part of subcall function 00007FF665ECDE04: GetLastError.KERNEL32 ref: 00007FF665ECDE88
Part of subcall function 00007FF665ECDE04: CloseHandle.KERNEL32 ref: 00007FF665ECDE9B

wcscpy.LIBCMT ref: 00007FF665ECCBC8
wcscpy.LIBCMT ref: 00007FF665ECCBFE
CreateFileW.KERNEL32 ref: 00007FF665ECCC38
DeviceIoControl.KERNEL32 ref: 00007FF665ECCD01
CloseHandle.KERNEL32 ref: 00007FF665ECCD12
GetLastError.KERNEL32 ref: 00007FF665ECCD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF665ECCD7D
DeleteFileW.KERNEL32 ref: 00007FF665ECCD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECCED7

Strings

\??\, xrefs: 00007FF665ECC392, 00007FF665ECC3B8
UNC\, xrefs: 00007FF665ECC53F, 00007FF665ECC55D
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF665ECC34F
SeRestorePrivilege, xrefs: 00007FF665ECC343

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: f1e6eec8ecbe5e09d381db8a89365ebfa2c377f5d47fbbeb23eb751c6f3faf25
Instruction ID: bbc900ca9f85d78fd5bf6e6685216b58ac9af5c63ee9817f9d2088fc675950f3
Opcode Fuzzy Hash: f1e6eec8ecbe5e09d381db8a89365ebfa2c377f5d47fbbeb23eb751c6f3faf25
Instruction Fuzzy Hash: E462C262F08682C5FF00DBB4D5462BD2771AB85BA4F505232EA7D9BAD5DF38E985C300

Function 00007FF665EDF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF665EE0528

Part of subcall function 00007FF665EDAAE0: LoadStringW.USER32 ref: 00007FF665EDAB67
Part of subcall function 00007FF665EDAAE0: LoadStringW.USER32 ref: 00007FF665EDAB80

Part of subcall function 00007FF665EEB0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF665EE0429), ref: 00007FF665EEB110
Part of subcall function 00007FF665EEB0DC: SetLastError.KERNEL32 ref: 00007FF665EEB153

Part of subcall function 00007FF665EC129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EC1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE0490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE0496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE04F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE0532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE0538

Strings

%ls, xrefs: 00007FF665EDF3AC, 00007FF665EDF3FF
%s: %s, xrefs: 00007FF665EDFC11

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: 7531b1a8951024dce7d14e1856eeb041d056becd58a60b273f62812b6ec532c2
Instruction ID: b0b4396f864b03e9bf5ee15a755995e3010559d714c00e230d83a28c175f30da
Opcode Fuzzy Hash: 7531b1a8951024dce7d14e1856eeb041d056becd58a60b273f62812b6ec532c2
Instruction Fuzzy Hash: 4AB2B962E68682C1EE149B65E6561BE6331EFC5B90F105336F69D8B6D6DF3CE940C300

Function 00007FF665F02550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665F02C12
memcpy_s.LIBCMT ref: 00007FF665F035BF
memcpy_s.LIBCMT ref: 00007FF665F03666

Part of subcall function 00007FF665F038BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF665F038EE

memcpy_s.LIBCMT ref: 00007FF665F0372F

Part of subcall function 00007FF665EFD008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF665EFD02D

Strings

1#QNAN, xrefs: 00007FF665F037E8
1#INF, xrefs: 00007FF665F03807
1#SNAN, xrefs: 00007FF665F037C9
1#IND, xrefs: 00007FF665F037AA

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: 45fcf3fea896abcee81a56544bdf403e632d47567d576b78310b19f90f53fd96
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: 7BB20A72A08182CBE7658E25D951BFD37B1FB84B88F545136DA099BB84DF39ED048F80

Function 00007FF665ED1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF665ED1A97
GetLongPathNameW.KERNEL32 ref: 00007FF665ED1AE0
GetShortPathNameW.KERNEL32 ref: 00007FF665ED1B21
GetShortPathNameW.KERNEL32 ref: 00007FF665ED1B6A

Part of subcall function 00007FF665EE13C4: CompareStringW.KERNEL32 ref: 00007FF665EE13E3

MoveFileW.KERNEL32 ref: 00007FF665ED1DFE
MoveFileW.KERNEL32 ref: 00007FF665ED1E65

Part of subcall function 00007FF665ED2134: CreateFileW.KERNEL32 ref: 00007FF665ED223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED1FED

Strings

rtmp, xrefs: 00007FF665ED1CF4, 00007FF665ED1D03

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 6844fc52beb637c2b27de38a8f1773b81546f1263b6adb3febe2d016913ca72a
Instruction ID: 65824ef97b8f70f97ac8464eafe6885110d20220ce7911cd0accba145d3e8200
Opcode Fuzzy Hash: 6844fc52beb637c2b27de38a8f1773b81546f1263b6adb3febe2d016913ca72a
Instruction Fuzzy Hash: 14F1B322B08A82C1EF14DBA5D9421BD6771EBD5BC4F501232FA4D8BAA9DF3CD984C740

Function 00007FF665ED5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF665ED5BC2
GetFullPathNameW.KERNEL32 ref: 00007FF665ED5C0E
GetFullPathNameW.KERNEL32 ref: 00007FF665ED5D2B
GetFullPathNameW.KERNEL32 ref: 00007FF665ED5D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED5EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED5EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED5EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED5EF2

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction ID: 2a8e3ff46df7ab6a929664058dcd35594b5de1b2d5c6b894252bf42bea727763
Opcode Fuzzy Hash: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction Fuzzy Hash: F3A1A062F15A52C4FF109B79DA461BC2331AB85FA4B545336EE2D9BBC9DE3CE8418200

Function 00007FF665EF3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF665EF318C
RtlCaptureContext.KERNEL32 ref: 00007FF665EF31B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF665EF31D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF665EF3214
IsDebuggerPresent.KERNEL32 ref: 00007FF665EF3268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF665EF3289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF665EF3294

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: d4b27491aa08dd3236bd752d8aa8f60f8d815ad027bbb7f2fd9b2b72cd946a5f
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: D0311272609B81CAEB649F64E8513ED7374FB88B44F44443ADA4D8BB99DF38D948C710

Function 00007FF665EF76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF665EF7751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF665EF7769
RtlVirtualUnwind.KERNEL32 ref: 00007FF665EF77A4
IsDebuggerPresent.KERNEL32 ref: 00007FF665EF77DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF665EF77E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF665EF77F2

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 44173ec1c236cbd5400088231d335625473da9504a17b7add3f7b943511034c0
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 7A316D36618B81C6EB608F25E8512AE73B0FBC8B54F540136EA8D87B99DF38D945CB00

Function 00007FF665EC1AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EC1EBB

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: fb96d10bca390bfec114724123450dd1eda7456c883d7babf62e98013e8dd4f7
Instruction ID: cc31d4d6d65bd48c560fbd2f93020358294334ff41fc5e4ae57b46073b181f15
Opcode Fuzzy Hash: fb96d10bca390bfec114724123450dd1eda7456c883d7babf62e98013e8dd4f7
Instruction Fuzzy Hash: 98B1CF62B14A86C6EF149BA5D9422ED2771FF85B84F505231FA6D8BB99DF3CD940C300

Function 00007FF665EFFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EFFAC4

Part of subcall function 00007FF665EF7934: GetCurrentProcess.KERNEL32(00007FF665F00CCD), ref: 00007FF665EF7961

Strings

., xrefs: 00007FF665EFFEE4
*?, xrefs: 00007FF665EFFAEB

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: f9aeb3d00ad8fa3d0f5ab9d371ddc8b131951e1a908adbb6e428a931ef5a2dc7
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: BF51C462B14A9581EF10DFA1E6124BD67B5FB84FD8B444531EE2D9BB85EE3CD841C300

Function 00007FF665F02080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF665F0210B

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: cc9386c216572b3ca55373eeb3df800e8aeae0f775778f2b8714a78e46c1a8d2
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: E7D1C232B18286C7EB74CF15E59566AB7A1F788B84F188135CB4E9BB44DE3DEC418B40

Function 00007FF665ECB6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF665ECBA9D), ref: 00007FF665ECB6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF665ECBA9D), ref: 00007FF665ECB719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF665ECBA9D), ref: 00007FF665ECB743

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: c95960ddf8d0d48625d4a9f6110033d02734c1014ad37c3bfb78ed9351087148
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: B601EC72A08742C2EB109F22F95117A67A5BB89BC0F484135EE9E8BB49CF3CD9058F44

Function 00007FF665EFFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF665EFFEE4

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: 1df69dfecc8bf23eb0cb7ae6388f94ff2affde4f58b147a6eacb05809d7616bd
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: FE310E61B1469185EB209B36E9067A96A61ABD4FE4F148235EE6C8BBC5CE3CD901C300

Function 00007FF665F05AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF665F05D45
RaiseException.KERNEL32 ref: 00007FF665F05D56

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: 166089503af689650e4c5de08580261db3651560ff9806bcdbf859697ed08cc3
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: D6B14C73605B85CAEB15CF29C4563683BB0F744F58F198922DA5D8B7A8CF79D851CB00

Function 00007FF665EE8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EE85E0: GetDC.USER32 ref: 00007FF665EE85EC
Part of subcall function 00007FF665EE85E0: GetDeviceCaps.GDI32 ref: 00007FF665EE85FD
Part of subcall function 00007FF665EE85E0: ReleaseDC.USER32 ref: 00007FF665EE860A

GetObjectW.GDI32 ref: 00007FF665EE8E48

Part of subcall function 00007FF665EE90B0: GetDC.USER32 ref: 00007FF665EE90D9
Part of subcall function 00007FF665EE90B0: GetObjectW.GDI32 ref: 00007FF665EE9107
Part of subcall function 00007FF665EE90B0: ReleaseDC.USER32 ref: 00007FF665EE91BB

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: 4ce9f7db0c5168930f9bcaf38099328d070a6f54d0fefc863443b7dc52f876b1
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: CC811766B18A45C6EB208F6AE8516AD3771FB88F98F044132DE0D9B728DF38D945C780

Function 00007FF665EEA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF665EEA315
GetNumberFormatW.KERNEL32 ref: 00007FF665EEA371

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: 44f6bb4bc5ec90b5c6773c7f0b874fc9e6219e1798da1a646e5c2c1bc6064b9a
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: 24114A72A19B81D5E7618B51E8123A97370FF88B84F844135EA4D8B758DF3CD945CB44

Function 00007FF665ED126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ED24C0: CreateFileW.KERNELBASE ref: 00007FF665ED259B
Part of subcall function 00007FF665ED24C0: GetLastError.KERNEL32 ref: 00007FF665ED25AE
Part of subcall function 00007FF665ED24C0: CreateFileW.KERNEL32 ref: 00007FF665ED260E
Part of subcall function 00007FF665ED24C0: GetLastError.KERNEL32 ref: 00007FF665ED2617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED15D0

Part of subcall function 00007FF665ED3980: MoveFileW.KERNEL32 ref: 00007FF665ED39BD
Part of subcall function 00007FF665ED3980: MoveFileW.KERNEL32 ref: 00007FF665ED3A34

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: b6c9c40237190830a1427cc90f699f3ed679a8c4b0b9819d305839f030af1316
Instruction ID: 7ddb15524e52db58fd79331a47942fe6529fd72ae82ca32910c5e33136aff713
Opcode Fuzzy Hash: b6c9c40237190830a1427cc90f699f3ed679a8c4b0b9819d305839f030af1316
Instruction Fuzzy Hash: CB91AC22B18A42C2EE14DBA6DA462AE6371FB94FC4F401132FE4D8BA95DE3CD945C340

Function 00007FF665ED51A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF665ED51D5

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction ID: a7e1e6d3f2426b9118cdfc69c93bf4427f678eec1e52f3e46f73de48532a680c
Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction Fuzzy Hash: 2001D7B2909682CBE6648B10E85277A33B2FBD8B14F500235E65E8B794DF3CE9058E00

Function 00007FF665EF8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF665EF8DD3

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: 4e6f1cbdfab962125ce0e71d5659dee1d7a689e1b530f8e8e3b4950f6b85d6a0
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: D381E062B1C242C2EFA88A16E64267922B4AFE1F48F141531FD49CF695CF3EEC01C201

Function 00007FF665EF89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF665EF8B3A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: 702a0661d9eb10728c80c20d2da429fc50b4368ead63f5f4274a3f70ad6977ce
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 4471C262E0CA42C6EFA88A1AE24227D23B1DFC1F44F145531ED49CF696CE2DEC468751

Function 00007FF665EDC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF665EDC97B

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: 4e3aac7b5edab63aa194f05965d2c7577d4d138dbf42289d3f65bda5b28b7957
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: 85518F37B286908BD724CF25E401A9AB3B5F388798F455126EF4A97B09CF39E945CF40

Function 00007FF665EFC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF665EFC874

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 7024887bfb1962128411407fca35838e5db19d02036c579f75be22a13c06ef3c
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: 3141BD72718A44C6EF08CF2AE5162A973A1A798FD0B5DA036EE0D8B754DE3CD842C340

Function 00007FF665F00D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF665F00D24

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: 8b18e3b2d542b5da9909e83ab0aa377fc6d3c864802e23968e2973a3f1193270
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: F1B09220E17A46C2EA082B51AE9325423B4BF88B00F988039C10CC7320DE3C28E54B00

Function 00007FF665EE3964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
Instruction ID: 0bf484ff3e9107a1b91b11f9589076905de371115b3d26127a219edc0d6a91b8
Opcode Fuzzy Hash: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
Instruction Fuzzy Hash: 6482F4A2A196C1C6DB15CF24D5062BC7BB1E755F88F198136EA8E8B395DE3CE845C310

Function 00007FF665EC76C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: 40d340103f1ca7803457190884ca09876645c7fe5423351b258246aa76cf026c
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: 27628E9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF665EE53F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
Instruction ID: 427be36beb17568822c9961177044b1dcc063f39b692c51144e373853a447222
Opcode Fuzzy Hash: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
Instruction Fuzzy Hash: DF8210B3A196C18ADB24CF28D6056FC7BB1E755F48F088136EA4E8B789DE3C9845C710

Function 00007FF665EDBB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 40279294a4350a2f3e73c2d31ba5f63de193d97e01bfa6b42f68d4ad9aa15505
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: 6D22E3B3B246508BD728CF25D89AA5E3766F798744B4B8228DF0ACB785DF38D505CB40

Function 00007FF665EE4B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: ee317122851093af8296d042b318293ec0eead1b9fb59c46dae79d967ed51d28
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 5332A272A14691CBEB18CF24D651ABC37B1F754B48F05813AEA4A9BB88DF3CAC55C740

Function 00007FF665EC7288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: 4b8feaca57192e1fa2f3f7bd5a476816d3095b85d258e5017b55d3b9321a4a9c
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: DAC18DB7B281908FE350CF7AE400A9D3BB1F39878CB519125EF59A7B09D639DA45CB40

Function 00007FF665EE2D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: cbe54c7d4af6c36c990f1cc08f53a82c699d7b2eef1b8923222f56a2064e903a
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: 5BA12773A181D2C6EF25CE28DA067BD27A1EBA4B44F454635EA899F785DE3CEC41C700

Function 00007FF665EDAF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: b9b3f9dffa7dbda23e801036b4a7884ab3c755dc7e547ed594a1d399c224ed0e
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: 37C13773A291E08DE302CBB5E4208FD3FF5E75E70DB4A4251EF9656B4AD6285201DF20

Function 00007FF665ECA310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: 22703a3a0c153a8a1a8454c01004c86793af249de26c185d5405d3a4944c07e0
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 6F91FE62B1858196EF11CF29E5522ED6731FF95B88F441131FE4E8BA49EF38EA46C700

Function 00007FF665EDB534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: cd6dae3266ffaf422361bdd27fd0af160862a68bb9f14dd9f319e783e9732ff2
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: 8E613463F081D189EF01CF75C6014FD7BB5A789B84B458232EE9A9B646EE39E905CF10

Function 00007FF665EE21D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: cfa7b3bd5c8cafec9499819ed62f9d38f5b3d917661786a1857140517a11dc3a
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: A5510673B281928BEB298F24EA0576D3761F7A4F44F454134EB498B688DE3DDD41CB00

Function 00007FF665EE2AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: d7a285202572b82403cafd788085598238168b668d573e41a8df6be712e0457e
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: D731A6A2A185828BEB18DF1ADA5227E77E1B795744F048139EF4ACB741DE7CE841CB00

Function 00007FF665F058E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction ID: 47c0c61ae4000515960db6033a2bcf4f18810b57a16389c1fb51008835f4c5c3
Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction Fuzzy Hash: 48F062B2B18295CBDBA48F69E84362977E0F708780F84843DD68DC7B04DE3C98A08F04

Function 00007FF665EF3354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: eeeb9f26b7629571efa4b902a302e200d4e139c10ed985851ab99db7142989ad
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 67A0026194DC42D0EB48CB14F9720712330FBD4B00B940032F15DCA0A4DF3CAC01C741

Function 00007FF665ECD7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECD964

Strings

::$LOGGED_UTILITY_STREAM, xrefs: 00007FF665ECD85F
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF665ECD875
::$EA_INFORMATION, xrefs: 00007FF665ECD828
::$BITMAP, xrefs: 00007FF665ECD807
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF665ECD849
::$INDEX_ROOT, xrefs: 00007FF665ECD854
::$EA, xrefs: 00007FF665ECD81D
::$REPARSE_POINT, xrefs: 00007FF665ECD88B
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF665ECD86A
::$ATTRIBUTE_LIST, xrefs: 00007FF665ECD7FC
::$DATA, xrefs: 00007FF665ECD812
::$FILE_NAME, xrefs: 00007FF665ECD833
::$OBJECT_ID, xrefs: 00007FF665ECD880
::$INDEX_ALLOCATION, xrefs: 00007FF665ECD83E

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction ID: 243a676b72c0af055af2d966217bede5e1f718fdd6ca24b0ad4eb2ecba75c807
Opcode Fuzzy Hash: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction Fuzzy Hash: 6F411876B06F41D9EB009B60E9523E833B5EB48B98F440136DA5D8B768EF38D955C780

Function 00007FF665EF2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF665EF2A26
GetModuleHandleW.KERNEL32 ref: 00007FF665EF2A33
GetModuleHandleW.KERNEL32 ref: 00007FF665EF2A48
GetProcAddress.KERNEL32 ref: 00007FF665EF2A60
GetProcAddress.KERNEL32 ref: 00007FF665EF2A73
CreateEventW.KERNEL32 ref: 00007FF665EF2A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF665EF2AEB
CloseHandle.KERNEL32 ref: 00007FF665EF2AFD

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF665EF2A2C
WakeAllConditionVariable, xrefs: 00007FF665EF2A66
SleepConditionVariableCS, xrefs: 00007FF665EF2A56
kernel32.dll, xrefs: 00007FF665EF2A41

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 684dd770424716a16ab4b4010fe9ddd9f46bab7d01532c1ef2306d625aeb4a12
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: CB21C960E19B83C1EF559B51FD6617423B0AF98F80F984435D90ECB6A0DF3CAC458A50

Function 00007FF665ED6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED70A6

Part of subcall function 00007FF665EC2004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF665EC200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED70B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED70B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED70C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED70D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED70DC

Strings

UNC, xrefs: 00007FF665ED6BBF
DXGIDebug.dll, xrefs: 00007FF665ED6A18
\\?\, xrefs: 00007FF665ED6A57, 00007FF665ED6A66

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: 49a63e71edebf0e47042e7ea65e43b03e9a3fa67d865ab852c8f354cac801883
Instruction ID: fee3063451429c1f07796c47a384bd8fa95d19a4002a99c67f648dd1478ccdcc
Opcode Fuzzy Hash: 49a63e71edebf0e47042e7ea65e43b03e9a3fa67d865ab852c8f354cac801883
Instruction Fuzzy Hash: 3A12AE22B08A42C4EF10DF65E5461AD6371EB81F88F504236EA6D8BBE9DF3CD945C340

Function 00007FF665EEA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EC129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665EC1396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEA72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEA735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEA73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEA741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEA747
EndDialog.USER32 ref: 00007FF665EEA7BA

Strings

Software\WinRAR SFX, xrefs: 00007FF665EEA52B, 00007FF665EEA53A
GETPASSWORD1, xrefs: 00007FF665EEA773

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction ID: 41168798473ba9450487d43ac150004d8822770613a1b8491771faa73a39dcc7
Opcode Fuzzy Hash: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction Fuzzy Hash: E1B1B062F59782C5FF00DBA4D54A2BC2372AB85B94F404235EA5C6BAD9DF3CE845C344

Function 00007FF665EE6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF665EE7E9B), ref: 00007FF665EE7080
CreateStreamOnHGlobal.COMBASE ref: 00007FF665EE70B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE7181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE7187

Strings

</html>, xrefs: 00007FF665EE6F72, 00007FF665EE6F81
<html>, xrefs: 00007FF665EE6F13
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF665EE6F2C, 00007FF665EE6F3B
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF665EE6ED5, 00007FF665EE6EE4

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction ID: 5aedf009b76fa13121ca405b0a84bd64f246dc0cf295f4f7a550a61e3b6f3d95
Opcode Fuzzy Hash: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction Fuzzy Hash: 06818162F18B82C5FF00DBA5DA521ED2371AF84B94F444136EE1D9B69AEF38D906C340

Function 00007FF665EFE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EFE7CD

Strings

nan(ind), xrefs: 00007FF665EFE706
NAN(IND), xrefs: 00007FF665EFE6FB
nan(snan), xrefs: 00007FF665EFE6F0
nan, xrefs: 00007FF665EFE6B8
INF, xrefs: 00007FF665EFE6C3
NAN(SNAN), xrefs: 00007FF665EFE6E5
inf, xrefs: 00007FF665EFE6D6
NAN, xrefs: 00007FF665EFE6B1

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 6ea8f70fea362fa0f8e8a7c7aec206954a400df0c32d1147f45a9b9927e307c5
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: 4A41CE72A0AB45C9FB40CF24E8527AD37B5EB54B94F054136EE4C8BB94DE38D425C384

Function 00007FF665EEF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF665EEF3CF
GetClassNameW.USER32 ref: 00007FF665EEF3FC
GetWindowLongPtrW.USER32 ref: 00007FF665EEF41D
SendMessageW.USER32 ref: 00007FF665EEF437
GetObjectW.GDI32 ref: 00007FF665EEF452
SendMessageW.USER32 ref: 00007FF665EEF487
DeleteObject.GDI32 ref: 00007FF665EEF490
GetWindow.USER32 ref: 00007FF665EEF49E

Strings

STATIC, xrefs: 00007FF665EEF402

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: c4cc6ea152f91e336f0fb83d10f206a5c2f2260edc841688f83afd3812fbef19
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: 96317275B18683C6FE609B61E6567B923B1AB89F80F540430EE4D8BB95DE3CDC068B40

Function 00007FF665EEAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF665EEAEAE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: 2e13fd1303ad000a9be8ef68a3f5a970eef82af78b08f519e87cd0624f10d98b
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: BC41A371E18692C2FB148B61E9167792771AF84F84F544435EA0E8FBA5CF3CED458B00

Function 00007FF665EDB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF665EDBA12
GetProcAddress.KERNEL32 ref: 00007FF665EDBA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF665EDBACA

Part of subcall function 00007FF665EDDFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF665EDDDDF

Strings

CryptUnprotectMemory failed, xrefs: 00007FF665EDBAC1
CryptProtectMemory failed, xrefs: 00007FF665EDBA80
CryptProtectMemory, xrefs: 00007FF665EDBA08
Crypt32.dll, xrefs: 00007FF665EDB9F0
CryptUnprotectMemory, xrefs: 00007FF665EDBA1F

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction ID: e131c898358eed546d1ff15f917cfcb5220d7ebf63fdb93ffbfe87066b7dc7e0
Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction Fuzzy Hash: D0314164F0AB46C0FE148B55EA6217527B4AF84F90F485235D85DCF3A9EE3CED458B40

Function 00007FF665EE87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE8DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE8DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE8DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE8DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EE8DE0

Strings

, xrefs: 00007FF665EE8A55
, xrefs: 00007FF665EE88BE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: c3d23b65519d6b0e16bf2cf387636935753ce78294b0e94f23a44a4be1d6057b
Instruction ID: c7724e8ca12583f1b0be90621a7669bba2af522a6de3c5f02a754c31321ce79f
Opcode Fuzzy Hash: c3d23b65519d6b0e16bf2cf387636935753ce78294b0e94f23a44a4be1d6057b
Instruction Fuzzy Hash: 10F1E4A2F29B86C0EF049B64D6461BC2372AB94F98F405631EA6D9B7D5DF7CD880C340

Function 00007FF665EF57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF665EF598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF665EF5CAD
abort.LIBCMT ref: 00007FF665EF5CE1

Strings

csm, xrefs: 00007FF665EF58D1
csm, xrefs: 00007FF665EF59B1
csm, xrefs: 00007FF665EF5933

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 6e843b94d179f041e3847a3329bc059b8f24604bd92850c4f210e72d56ac9b91
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: 9BE1B473908782CAEB109F25E5423AD7BB0FB95B58F144136EA8D8B695CF38E885C700

Function 00007FF665ED4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ED4E24: SysAllocString.OLEAUT32 ref: 00007FF665ED4E5F

VariantClear.OLEAUT32 ref: 00007FF665ED5125

Strings

Name, xrefs: 00007FF665ED50F9
WQL, xrefs: 00007FF665ED502A
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF665ED5017
ROOT\CIMV2, xrefs: 00007FF665ED4F7B
Windows 10, xrefs: 00007FF665ED510A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: b102bb136871780b9d8de73768f7857e57e401592c8de863fd3208d8e6d9d2cb
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 30711576A14A05C5EF20CF25E9915A977B0FB88F98B045237EA4E8BB68CF38D944C740

Function 00007FF665EF72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF665EF74F3,?,?,?,00007FF665EF525E,?,?,?,00007FF665EF5219), ref: 00007FF665EF7371
GetLastError.KERNEL32(?,?,00000000,00007FF665EF74F3,?,?,?,00007FF665EF525E,?,?,?,00007FF665EF5219), ref: 00007FF665EF737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF665EF74F3,?,?,?,00007FF665EF525E,?,?,?,00007FF665EF5219), ref: 00007FF665EF73A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF665EF74F3,?,?,?,00007FF665EF525E,?,?,?,00007FF665EF5219), ref: 00007FF665EF73EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF665EF74F3,?,?,?,00007FF665EF525E,?,?,?,00007FF665EF5219), ref: 00007FF665EF73FB

Strings

api-ms-, xrefs: 00007FF665EF7391

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: f8c9602bb5fe214e1d4efc179f3f1e0cbc492004bd14b02558c9a586aa1f3d5c
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 0C31AF21A1AA42D1EF52AB06F90257927B4FF88FA4F594935ED2D8F394DF3CE8408710

Function 00007FF665EF1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF665EF1573,?,?,?,00007FF665EF192A), ref: 00007FF665EF162B
GetProcAddress.KERNEL32(?,?,?,00007FF665EF1573,?,?,?,00007FF665EF192A), ref: 00007FF665EF1648
GetProcAddress.KERNEL32(?,?,?,00007FF665EF1573,?,?,?,00007FF665EF192A), ref: 00007FF665EF1664

Strings

KERNEL32.DLL, xrefs: 00007FF665EF1624
AcquireSRWLockExclusive, xrefs: 00007FF665EF163E
ReleaseSRWLockExclusive, xrefs: 00007FF665EF1653

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: b8bc176e4ae2618e40d4180e259d99ba14bff043dc1bceb784f1e8c5b2eb13b7
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 98111EA0B19B46C1FF598B81FA6327513B56F88F94F8E5435D81D8F354EE3CAC448A40

Function 00007FF665EDED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ED51A4: GetVersionExW.KERNEL32 ref: 00007FF665ED51D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665EC5AB4), ref: 00007FF665EDED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665EC5AB4), ref: 00007FF665EDED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665EC5AB4), ref: 00007FF665EDEDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665EC5AB4), ref: 00007FF665EDEDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665EC5AB4), ref: 00007FF665EDEDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF665EC5AB4), ref: 00007FF665EDEE05

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 4f228730c0da78e936820b929740a86c44d554ff6ba292bff23828f65e7bd4fb
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: E7517DB2B10A52CAEB14CF74D8451AC77B1F748B88B64413AEE0D9BB58DF38D955CB40

Function 00007FF665EDF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF665EDF074

Part of subcall function 00007FF665ED51A4: GetVersionExW.KERNEL32 ref: 00007FF665ED51D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF665EDF096
FileTimeToSystemTime.KERNEL32 ref: 00007FF665EDF0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF665EDF0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF665EDF0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF665EDF0CE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: 087c092529d82cd6464c8134da009e05438b03d500a45d2b2ebfeb520824c1ea
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 62313862B10A51DEFB00CFB5E8911AC3770FB18B58B54502AEE0E97A58EF38D895C700

Function 00007FF665ED7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED7C8C

Strings

.rar, xrefs: 00007FF665ED7969, 00007FF665ED7978
rar, xrefs: 00007FF665ED7A9B, 00007FF665ED7AAA, 00007FF665ED7B67, 00007FF665ED7B7C
exe, xrefs: 00007FF665ED79AF, 00007FF665ED79BE
sfx, xrefs: 00007FF665ED79F3, 00007FF665ED7A02

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction ID: 39cdcccfeb75095d529b8345cb0d5c3f08977a223c605485004030e0716c7328
Opcode Fuzzy Hash: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction Fuzzy Hash: D1A18F22A14A06C0EF049B25DA563BC2372AF95F98F545336ED1D8B6E6DF3CE945C340

Function 00007FF665EF5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF665EF5D58

Part of subcall function 00007FF665EF5210: abort.LIBCMT ref: 00007FF665EF5223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF665EF5DA3
abort.LIBCMT ref: 00007FF665EF5FD1

Strings

MOC, xrefs: 00007FF665EF5D6C
RCC, xrefs: 00007FF665EF5D74

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: 8e4878c765a5b450666a466666b16f939d89bfd92658e677944f5eca2fd8c90b
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: 3B91B073A08B91DAEB10CB64E5412AD7BB0F794B88F10812AEE8D9BB55DF38D595C700

Function 00007FF665EF4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF665EF4FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF665EF5040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF665EF2F5E), ref: 00007FF665EF508F

Strings

csm, xrefs: 00007FF665EF5026
f, xrefs: 00007FF665EF4FBE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: 9511626103bedf0c6d2ca824aeb4b048ec70a1e78921b8c7f45ec5f4f69286dc
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 5F518F32A19A02C6EF14CF15F945A2937A5FB90F88F51C032EA5E8B748EF78EC418740

Function 00007FF665ECCEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF665ECD03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECD0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECD0D7

Part of subcall function 00007FF665ECDE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF665ECCF4B), ref: 00007FF665ECDE27
Part of subcall function 00007FF665ECDE04: GetLastError.KERNEL32 ref: 00007FF665ECDE88
Part of subcall function 00007FF665ECDE04: CloseHandle.KERNEL32 ref: 00007FF665ECDE9B

Strings

SeSecurityPrivilege, xrefs: 00007FF665ECCF3F
SeRestorePrivilege, xrefs: 00007FF665ECCF5E

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction ID: af7f3c719eaebaec5466dd49a3392218b024dd191feeb094472908cc3dcc42d2
Opcode Fuzzy Hash: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction Fuzzy Hash: CC51AF62E08682C5FF10DB64DA532BD2771AF85BA4F440135EE6D9B696DF3CEC86C600

Function 00007FF665EE7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF665EE7B6F
GetWindowRect.USER32 ref: 00007FF665EE7BC0
ShowWindow.USER32 ref: 00007FF665EE7C96
ShowWindow.USER32 ref: 00007FF665EE7CC3

Strings

RarHtmlClassName, xrefs: 00007FF665EE7C4B

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
Instruction ID: 08381d186fdc27692c367f261330480b0a9469d51bce5321ff2e61bd03bc6d66
Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
Instruction Fuzzy Hash: 77518462A197C2C6EB249B21E54637A6771FB85F80F144435EE8E8BB55DF3CE8458B00

Function 00007FF665EEFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF665EEFD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF665EEFDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665EEFE1B

Strings

sfxcmd, xrefs: 00007FF665EEFD3C
sfxpar, xrefs: 00007FF665EEFDB5

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction ID: 2a0b71c7cda810e6ed5d022b0907faeeb45c1e28142cd67f8d994e9731c52ab1
Opcode Fuzzy Hash: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction Fuzzy Hash: FC316F72A24A46C4EF00DB69E9862AC3371FB88F98F541136EE5D9B7A9DE3CD441C344

Function 00007FF665EEFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00007FF665EEFF60
REPLACEFILEDLG, xrefs: 00007FF665EEFF34, 00007FF665EEFF99

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 0a8df626dd33e1d3177b2c14e3d76b98fdd47cd52e40805751d4882ff3a80d4f
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: B121E561A1DAD7C1FE108BA5F94617467B1AB4AF88F640036E99DCB364DE3CED84CB40

Function 00007FF665EFBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF665EFBFD0
GetProcAddress.KERNEL32 ref: 00007FF665EFBFE6
FreeLibrary.KERNEL32 ref: 00007FF665EFC00B

Strings

mscoree.dll, xrefs: 00007FF665EFBFC7
CorExitProcess, xrefs: 00007FF665EFBFDF

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: dfe1b5c426ea613a48da97c0d5b405572a84f289b2d6a279ba87b617a44109c6
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: 43F04F21B19A42C1EF548B11F8612796370EFC8F90F581036E94F8B665DE3CE8858B40

Function 00007FF665F045C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665F04605

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: c8416e4fffaeb6d25bd1669a19d79c5f07ecee51576e8c638cb2d4359e1e282b
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: D9810162F18642C5FB109B61D8666BD27B0BBA4F88F084536DD8E9B695DF3CEC41CB40

Function 00007FF665ED3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF665ED3BBB
CreateFileW.KERNEL32 ref: 00007FF665ED3C24
SetFileTime.KERNEL32 ref: 00007FF665ED3CEC
CloseHandle.KERNEL32 ref: 00007FF665ED3CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED3D2C

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction ID: 385d5c5a01bc6ede599f18072f8318a27602327eff9dde0fd0752a516eac5a00
Opcode Fuzzy Hash: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction Fuzzy Hash: 9051A262B04A42D9FF50DB75E9423BD6372AB88FA8F144735EE1D8B7D8DE3898458300

Function 00007FF665F03F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF665F04767), ref: 00007FF665F03F91
WideCharToMultiByte.KERNEL32 ref: 00007FF665F0406D
WriteFile.KERNEL32 ref: 00007FF665F04093
WriteFile.KERNEL32 ref: 00007FF665F040D2
GetLastError.KERNEL32 ref: 00007FF665F0410A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 174f6532d750f3b91d111b3000c1720b21487b437ce59fa14a1753715cdf819b
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: BF511132A14A51C9E710CF65E8563AD3BB1FB54B88F088136DE4E9BB98CF38D845CB40

Function 00007FF665EF1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF665ED4DF4), ref: 00007FF665EF1E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF665ED4DF4), ref: 00007FF665EF1F09
SysAllocString.OLEAUT32 ref: 00007FF665EF1F16

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
Instruction ID: 58a90d664d83300e07edeabc64a57b7e07cdc20115d5dcf7f539c027eabcfad6
Opcode Fuzzy Hash: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
Instruction Fuzzy Hash: A041D661A0964AC5EF188FA1E51227923B0EF84FA4F144635FA6DCB7D5DF3CD8418300

Function 00007FF665EFF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF665EFF536

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: 1935793df1860438b1d0c7a188cbe76ed2d63c5282e1b34796cece51592ed8bc
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: BF419D62B09A42C1EF258B12EA5256563A5BB84F90F094536EE6D8F794EE3CEC40C740

Function 00007FF665F056D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF665F056FF
_set_statfp.LIBCMT ref: 00007FF665F0571A
_set_statfp.LIBCMT ref: 00007FF665F05736
_set_statfp.LIBCMT ref: 00007FF665F05772

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 09e7095bbeb242c7c5e7b2849c49c959d13879f77123299ab83e02af6bc84aa1
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: C011D076E0860FC1FA240124E4A737907616F44BA0E9C4A32EA7D8F1D68EFCAC416980

Function 00007FF665EEFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF665EEFE41
GetMessageW.USER32 ref: 00007FF665EEFE58
TranslateMessage.USER32 ref: 00007FF665EEFE63
DispatchMessageW.USER32 ref: 00007FF665EEFE6E
WaitForSingleObject.KERNEL32 ref: 00007FF665EEFE7C

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 1d953c702cb8a7a03ee3c620b5d16e9dfb00ebe90e3f9fd4d26ee06b2b8d5e49
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: EFF0EC61B38586C2FB509771E456A762361FFA4F05F941030EA4A8A9A4DE3CE949CB00

Function 00007FF665EF625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF665EF6286
abort.LIBCMT ref: 00007FF665EF64EA

Strings

csm, xrefs: 00007FF665EF641A
csm, xrefs: 00007FF665EF62AB

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: b614c4e85fe9551e147870e0ca2b3e375864f1fc35e949e33116b7fc7275072a
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: 40719F72A08681C6DB609F25E25177D7BB0FB85F88F148136EA4D8BA89CF3CD991C740

Function 00007FF665EF80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EF811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EF82ED

Strings

*, xrefs: 00007FF665EF8221
, xrefs: 00007FF665EF8276

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 169927faf25ae586a025d309c838dd252ca4cdef3c1d3ec855d38f678f981054
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 9751477290C642CAFF648E2AE65637C3BB1FB85F18F142235E64989199CF38FC81C605

Function 00007FF665F01758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF665F017CB
MultiByteToWideChar.KERNEL32 ref: 00007FF665F01894
GetStringTypeW.KERNEL32 ref: 00007FF665F018AE

Strings

$%s, xrefs: 00007FF665F0175A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: ea8cda8bbfe87f3710397f0b810d2c913eab92f7d19553c2a5554048ab49effc
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: 15419422B14B85CAEB618F25D8116A933E1FB44FA8F484636EE1D8B7C4DF3CE9458740

Function 00007FF665EF66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EF5210: abort.LIBCMT ref: 00007FF665EF5223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF665EF674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF665EF6776

Strings

csm, xrefs: 00007FF665EF6876

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 5484e8d9eca67363cae49a4e95a0a0dc68a1ac19ae0175e5e35169544d3c81df
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 91513B72618781C7EB20AB15F24226E77B4FBC9B90F145235EA8D8BB55CF38E850CB00

Function 00007FF665F04360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF665F04446
WriteFile.KERNEL32 ref: 00007FF665F04479
GetLastError.KERNEL32 ref: 00007FF665F0449B

Strings

U, xrefs: 00007FF665F04424

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: fbfc35e4d676d726cfe7d359e7c5d87918b7821e8cd62d714f05121b0b888557
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 4B419322619A81C2DB608F65E8553BA6770FB98B94F444132EE8DCB798EF7CD841CB40

Function 00007FF665EE90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF665EE90D9
GetObjectW.GDI32 ref: 00007FF665EE9107
ReleaseDC.USER32 ref: 00007FF665EE91BB

Strings

, xrefs: 00007FF665EE9153

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: 4ffccab29cf9022f04050f2e362cf46bf8b56096d0c4facf596c4c3197e22ae2
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 4F312B7560978287EA04DF62F819A2AB770FB89FD1F605435EE4A87B54CE3CD8498B00

Function 00007FF665EDE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF665EE317F,?,?,00001000,00007FF665ECE51D), ref: 00007FF665EDE8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF665EE317F,?,?,00001000,00007FF665ECE51D), ref: 00007FF665EDE8CB
CreateEventW.KERNEL32(?,?,?,00007FF665EE317F,?,?,00001000,00007FF665ECE51D), ref: 00007FF665EDE8E4

Strings

Thread pool initialization failed., xrefs: 00007FF665EDE900

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: 9627bd646dde391f09ddb179dcc21f7126fa62c42d1aac7da2536c97143301b5
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: 8D21A172E15A42C6FB108F24D55A3AD37B2EBC8F08F188135DA098F295CF7E9C458B80

Function 00007FF665EE85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF665EE85EC
GetDeviceCaps.GDI32 ref: 00007FF665EE85FD
ReleaseDC.USER32 ref: 00007FF665EE860A

Strings

, xrefs: 00007FF665EE8610

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: d3a0ea30f50f4a0b99f7482b7cf3f829565764603133920d580f80d96d902041
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: D5E08C60B08682C2EB0857B6F58A03A2361AB4CFD0F298035DA1B8B794CE3CC8854B00

Function 00007FF665ECD1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF665ECD46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECD554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECD55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECD560

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction ID: 1a94ff28a953794b9cf0e9f1b349bcab4d97c6f9082b7e11de2a16d33986ca2e
Opcode Fuzzy Hash: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction Fuzzy Hash: 36A1B562A18A82C1EF10DB65EA421AD6771FFC5B84F405131FAAD8BAD9DF3DE944C700

Function 00007FF665EE0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF665EE05FC
SetLastError.KERNEL32 ref: 00007FF665EE0697

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4871fa0c943a6bda4a75b5c3ad29a9496d44a7a9e564bd7977e1d2a914031524
Instruction ID: 104f869a197e8061c32a6e8250df86bd599597523fdeb2d5a0e566f9b0371fa7
Opcode Fuzzy Hash: 4871fa0c943a6bda4a75b5c3ad29a9496d44a7a9e564bd7977e1d2a914031524
Instruction Fuzzy Hash: CA517172F14A86D5FF009B65D5562AC2331EB85F98F404232EA5C9BB95DF3CDA45C340

Function 00007FF665EE9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF665EE9DBC
GetLastError.KERNEL32 ref: 00007FF665EE9E08
CreateDirectoryW.KERNEL32 ref: 00007FF665EE9F10
LocalFree.KERNEL32 ref: 00007FF665EE9F20

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
Instruction ID: 93b9ac7c4455acb3f064ec2303be387b161224df583e31fc45deb3df4d3859e8
Opcode Fuzzy Hash: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
Instruction Fuzzy Hash: 44513D32628B82C6EB508F61E5457AE77B4FB84B84F501036EA4D9BB58DF3CD845CB40

Function 00007FF665EFDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EFDBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF665EFDC81
GetLastError.KERNEL32 ref: 00007FF665EFDCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EFDCD6

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: 3980f2aa8adee7729fd372fb9fe290623af2a35390917e2c105a020eafd934b5
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: D6417F26A08682C6FF659F10F346379AAB1AFC0F94F158131EA4DCFA99DE7CDC418601

Function 00007FF665ED3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF665ED39BD
MoveFileW.KERNEL32 ref: 00007FF665ED3A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED3AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED3AF1

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction ID: be4a6625a8dbafa77f3f2f145bfbe5cf98f2b5ad19d7d7aa1409d4ea100143a8
Opcode Fuzzy Hash: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction Fuzzy Hash: 74418E62F14B51C4FF00CB75E9861AC2372BB88FA8B505235EE5DABA99DF7CD845C240

Function 00007FF665F00B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF665EFC45B), ref: 00007FF665F00B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF665EFC45B), ref: 00007FF665F00BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF665EFC45B), ref: 00007FF665F00C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF665EFC45B), ref: 00007FF665F00C57

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 41572598d18e7526f28cadd287447d66121f780c489ad5216eff472f862baa77
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 73218221E18B51C1E7249F11A451029A7B8FB94FE0B4C8136DE8EABB94DF7CE8528B40

Function 00007FF665EFD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF665EF7F28,?,?,?,00007FF665EF9D35), ref: 00007FF665EFD44A
SetLastError.KERNEL32(?,?,?,00007FF665EF7F28,?,?,?,00007FF665EF9D35), ref: 00007FF665EFD4B2
SetLastError.KERNEL32(?,?,?,00007FF665EF7F28,?,?,?,00007FF665EF9D35), ref: 00007FF665EFD4C8
abort.LIBCMT ref: 00007FF665EFD4CE

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: 40fd8d48d8ada71cd39ac43cf4fb7f0f59f1cbe999886a32ed609adf3467946e
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: F0012528A09606C2FF59A761F75B1791AB15FC4F90F084838E92ECFBD6ED2CBC408610

Function 00007FF665EE8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF665EE8598
GetDeviceCaps.GDI32 ref: 00007FF665EE85AE
GetDeviceCaps.GDI32 ref: 00007FF665EE85C2
ReleaseDC.USER32 ref: 00007FF665EE85D3

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: 216fc93c22d0f11f3861dfe3b2234e93c903a8f9da1d4f5c2886da0e3e9938f2
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 11E0E5A0E09642C2FF095BB1E85A13623709F48F41F184439D91FCF390DD3C98458E14

Function 00007FF665ECE34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ECE549

Strings

DXGIDebug.dll, xrefs: 00007FF665ECE35A

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: fb1ea5274bf47759c68f5a3c4d742861032828cbeb5af038f443ece21ae78c4e
Instruction ID: 0db55c78cf137cd05ad1cad023ee11da252e96a501e7dfacb5147057e758615d
Opcode Fuzzy Hash: fb1ea5274bf47759c68f5a3c4d742861032828cbeb5af038f443ece21ae78c4e
Instruction Fuzzy Hash: FA71AC72A14B81C6EB14CB65E9423ADB3B8FB94B94F444235EBAC4BB95DF78D461C300

Function 00007FF665EFE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EFE237

Strings

e+000, xrefs: 00007FF665EFE2DF
gfff, xrefs: 00007FF665EFE362

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 44d16bbca26ed8b484366773160d82708dc85b99fc5e73e110c10b7a1dff29a8
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: 8A51ED52B197C286EB658F35E64236D6BA1A7C1F90F089231D69CCBBD5DF2CE844C701

Function 00007FF665ED9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665ED95A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665ED95E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF665ED95A2

Strings

SIZE, xrefs: 00007FF665ED9443

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction ID: d1949f20db4535f9cc898acbec96ebcd34d703f3912f7902095d0acba8004c68
Opcode Fuzzy Hash: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction Fuzzy Hash: 22418162A28682C5EE10DB64E9523BD6370EFD5B94F504331FA9D8A6D6EE3DD940C700

Function 00007FF665EFC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665EFC2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF665EF2CD5), ref: 00007FF665EFC30B

Strings

C:\Users\user\Desktop\0438.pdf.exe, xrefs: 00007FF665EFC2F9

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\0438.pdf.exe
API String ID: 3307058713-792344357
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 464aef41a56829b5a4b2438a5355f16a46dad0efb10221603cb2aee1f954b35c
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: 5A417976A0CA56C6EB149F61F6420BC6BB4EF84FC4B544032FA4E8BB45DE3CE8818740

Function 00007FF665EE9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665EC255C: GetDlgItem.USER32 ref: 00007FF665EC25AC
Part of subcall function 00007FF665EC255C: SetWindowTextW.USER32 ref: 00007FF665EC25C8

EndDialog.USER32 ref: 00007FF665EE9C24
SetDlgItemTextW.USER32 ref: 00007FF665EE9CAA

Strings

ASKNEXTVOL, xrefs: 00007FF665EE9B72

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction ID: 9506e715a707be8950db1862b6828dd8e09d669cfe211afdb69aa8d47c12a8eb
Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction Fuzzy Hash: C3417E62A186C2C1EE14AB62EA522B927B1AF85FC0F540035EE4DDF799DE3CEC418740

Function 00007FF665ED9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF665ED96EA

Part of subcall function 00007FF665EE0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF665EE0F99

Strings

@%s, xrefs: 00007FF665ED96CE
$%s, xrefs: 00007FF665ED96D7

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: 759a8048c8ce8b7713f24ba6a1d026df0eca1dcec171e1f1cb2519952381611c
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 2531A472B18A46C5EE508F66EA526E923B0FB94F84F401132EE0D9F795EE3DE905C740

Function 00007FF665EFEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF665EFEB76
GetFileType.KERNEL32 ref: 00007FF665EFEB8C

Strings

@, xrefs: 00007FF665EFEBB7

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: 3820b4b6fbc3a5b9d7971d9594c6a1cee8fdb6fdcaf00304e6a5cc26ee9cbc1b
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: B1217522A08E83C1EFB04B24E5911792662EB85F74F280335E66F4B7D4DE38EC85C341

Function 00007FF665EF4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF665EF1D3E), ref: 00007FF665EF40BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF665EF1D3E), ref: 00007FF665EF4102

Strings

csm, xrefs: 00007FF665EF40EF

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 63f1790c44d8ed243a25f402b7e55b949b2da431b5a9f20bbe72bf336c267bf8
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: C9111922608B4182EB208F15F65026977B1FB88F94F184232EA8D4B758DF3CD955CB40

Function 00007FF665EDEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF665EDE95F,?,?,?,00007FF665ED463A,?,?,?), ref: 00007FF665EDEA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF665EDE95F,?,?,?,00007FF665ED463A,?,?,?), ref: 00007FF665EDEA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF665EDEA78

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: 44b8e6c165a42c7291ad8238b7e541d1bee65a7598331999bc27654a0038f25a
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: 9EE0E5A1E19842C1EA00A720DC9746827357FA4B60F944332E43ECB1E19F7CAD458A40

Function 00007FF665EDA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF665EDA447
FindResourceW.KERNEL32 ref: 00007FF665EDA45D

Strings

RTL, xrefs: 00007FF665EDA453

Memory Dump Source

Source File: 00000000.00000002.1752154916.00007FF665EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665EC0000, based on PE: true

Associated: 00000000.00000002.1752128106.00007FF665EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752204519.00007FF665F08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F1B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752231839.00007FF665F24000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1752337122.00007FF665F2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665ec0000_0438.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: fc6ad1ed701612cd936282381fbaa5e9d65e5ecfc9a9627d59e3e6ed2f237254
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: E8D017A1F09602C2FF195B71E45A37517705F18F41F4C403AC80A8B390EE7C9998CB90

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0438.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5141a4.rbs

C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

C:\Program Files (x86)\LiteManager Pro - Server\English.lg

C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Windows Analysis Report
0438.pdf.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre